class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
class removed_class
class modified_add_perm
class modified_remove_perm
class modified_change_common

sid kernel
sid security
sid matched_sid
sid removed_sid
sid modified_sid

common infoflow
{
	low_w
	med_w
	hi_w
	low_r
	med_r
	hi_r
    ioctl
}

common removed_common
{
    old_com
}

common modified_remove_perm
{
    same_perm
    removed_perm
}

common modified_add_perm
{
    matched_perm
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
	super_w
	super_r
}

class infoflow3
{
	null
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
	super_w
	super_r
	super_none
	super_both
	super_unmapped
}

class removed_class
{
    null_perm
}

class modified_add_perm
{
    same_perm
}

class modified_remove_perm
{
    same_perm
    removed_perm
}

class modified_change_common
inherits removed_common

# matching defaults:
default_user infoflow source;
default_role infoflow source;
default_type infoflow source;
default_range infoflow source low;

# added:

# removed:
default_role infoflow3 source;
default_range infoflow3 target high;

# modified:
default_type infoflow4 source;
default_range infoflow4 source low;

# modified range:
default_range infoflow5 target low;

# modified both
default_range infoflow6 source high;

sensitivity s0 alias { al1 al2 };
sensitivity s1 alias { al3 };
sensitivity s2;
sensitivity s3;
sensitivity s40;
sensitivity s41;
sensitivity s42;
sensitivity s43;
sensitivity s44;
sensitivity s45;
sensitivity s47;

dominance { s0 s1 s2 s3 s40 s41 s42 s43 s44 s45 s47 }

category c0 alias { spam eggs };
category c1 alias { bar };
category c2;
category c3;
category c4;
category c5;

#level decl
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s40:c1;
level s41:c0.c4;
level s42:c0.c4;
level s43:c0.c4;
level s44:c0.c4;
level s45:c0.c4;
level s47:c0.c4;

# matching mls constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

# added mls constraint

# removed mls constraint
mlsconstrain infoflow4 hi_w ((l1 domby l2 and h1 domby h2) or (t1 == mls_exempt));

# remove/add mls constraint (expression change)
mlsconstrain infoflow5 hi_r ((l1 domby l2 and h1 dom h2) or (t1 == mls_exempt));

# matching mls validatetrans
mlsvalidatetrans infoflow (h1 == h2 or t3 == system);

# added mls validatetrans

# removed mls validatetrans
mlsvalidatetrans infoflow4 ((l1 == l2 and h1 == h2) or t3 == mls_exempt);

# remove/add mls validatetrans (expression change)
mlsvalidatetrans infoflow5 ((l1 dom l2 and h1 dom h2) or (t3 == mls_exempt));

attribute mls_exempt;
attribute an_attr;
attribute removed_attr;

type system;
role system;
role system types system;

################################################################################
# Type enforcement declarations and rules

type removed_type;

type modified_remove_attr, an_attr;

type modified_remove_alias alias an_alias;

type modified_remove_permissive;
permissive modified_remove_permissive;

type modified_add_attr;

type modified_add_alias;

type modified_add_permissive;

role removed_role;

role modified_add_type;

role modified_remove_type;
role modified_remove_type types { system };

# booleans
bool same_bool true;
bool removed_bool true;
bool modified_bool false;

# Allow rule differences
type matched_source;
type matched_target;
allow matched_source matched_target:infoflow hi_w;

type removed_rule_source;
type removed_rule_target;
allow removed_rule_source removed_rule_target:infoflow hi_r;

type added_rule_source;
type added_rule_target;

type modified_rule_add_perms;
allow modified_rule_add_perms self:infoflow hi_r;

type modified_rule_remove_perms;
allow modified_rule_remove_perms self:infoflow { low_r low_w };

type modified_rule_add_remove_perms;
allow modified_rule_add_remove_perms self:infoflow2 { low_w super_w };

allow removed_type self:infoflow3 null;

type move_to_bool;
bool move_to_bool_b false;
allow move_to_bool self:infoflow4 hi_w;

type move_from_bool;
bool move_from_bool_b false;
if (move_from_bool_b) {
allow move_from_bool self:infoflow4 hi_r;
}

type switch_block;
bool switch_block_b false;
if (switch_block_b) {
allow system switch_block:infoflow5 hi_r;
allow system switch_block:infoflow6 hi_r;
} else {
allow system switch_block:infoflow7 hi_r;
}

attribute match_rule_by_attr;
type match_rule_by_attr_A_t, match_rule_by_attr;
type match_rule_by_attr_B_t, match_rule_by_attr;
allow match_rule_by_attr self:infoflow2 super_w;

attribute unioned_perm_via_attr;
type unioned_perm_via_attr_A_t, unioned_perm_via_attr;
type unioned_perm_via_attr_B_t, unioned_perm_via_attr;
allow unioned_perm_via_attr self:infoflow2 super_w;
allow unioned_perm_via_attr_A_t self:infoflow2 super_r;
allow unioned_perm_via_attr_B_t self:infoflow2 hi_w;

# Auditallow rule differences
type aa_matched_source;
type aa_matched_target;
auditallow aa_matched_source aa_matched_target:infoflow hi_w;

type aa_removed_rule_source;
type aa_removed_rule_target;
auditallow aa_removed_rule_source aa_removed_rule_target:infoflow hi_r;

type aa_added_rule_source;
type aa_added_rule_target;

type aa_modified_rule_add_perms;
auditallow aa_modified_rule_add_perms self:infoflow hi_r;

type aa_modified_rule_remove_perms;
auditallow aa_modified_rule_remove_perms self:infoflow { low_r low_w };

type aa_modified_rule_add_remove_perms;
auditallow aa_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };

auditallow removed_type self:infoflow7 super_unmapped;

type aa_move_to_bool;
bool aa_move_to_bool_b false;
auditallow aa_move_to_bool self:infoflow4 hi_w;

type aa_move_from_bool;
bool aa_move_from_bool_b false;
if (aa_move_from_bool_b) {
auditallow aa_move_from_bool self:infoflow4 hi_r;
}

type aa_switch_block;
bool aa_switch_block_b false;
if (aa_switch_block_b) {
auditallow system aa_switch_block:infoflow5 hi_r;
auditallow system aa_switch_block:infoflow6 hi_r;
} else {
auditallow system aa_switch_block:infoflow7 hi_r;
}

attribute aa_match_rule_by_attr;
type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
auditallow aa_match_rule_by_attr self:infoflow2 super_w;

attribute aa_unioned_perm_via_attr;
type aa_unioned_perm_via_attr_A_t, aa_unioned_perm_via_attr;
type aa_unioned_perm_via_attr_B_t, aa_unioned_perm_via_attr;
auditallow aa_unioned_perm_via_attr self:infoflow2 super_w;
auditallow aa_unioned_perm_via_attr_A_t self:infoflow2 super_r;
auditallow aa_unioned_perm_via_attr_B_t self:infoflow2 hi_w;

# Dontaudit rule differences
type da_matched_source;
type da_matched_target;
dontaudit da_matched_source da_matched_target:infoflow hi_w;

type da_removed_rule_source;
type da_removed_rule_target;
dontaudit da_removed_rule_source da_removed_rule_target:infoflow hi_r;

type da_added_rule_source;
type da_added_rule_target;

type da_modified_rule_add_perms;
dontaudit da_modified_rule_add_perms self:infoflow hi_r;

type da_modified_rule_remove_perms;
dontaudit da_modified_rule_remove_perms self:infoflow { low_r low_w };

type da_modified_rule_add_remove_perms;
dontaudit da_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };

dontaudit removed_type self:infoflow7 super_both;

type da_move_to_bool;
bool da_move_to_bool_b false;
dontaudit da_move_to_bool self:infoflow4 hi_w;

type da_move_from_bool;
bool da_move_from_bool_b false;
if (da_move_from_bool_b) {
dontaudit da_move_from_bool self:infoflow4 hi_r;
}

type da_switch_block;
bool da_switch_block_b false;
if (da_switch_block_b) {
dontaudit system da_switch_block:infoflow5 hi_r;
dontaudit system da_switch_block:infoflow6 hi_r;
} else {
dontaudit system da_switch_block:infoflow7 hi_r;
}

attribute da_match_rule_by_attr;
type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
dontaudit da_match_rule_by_attr self:infoflow2 super_w;

attribute da_unioned_perm_via_attr;
type da_unioned_perm_via_attr_A_t, da_unioned_perm_via_attr;
type da_unioned_perm_via_attr_B_t, da_unioned_perm_via_attr;
dontaudit da_unioned_perm_via_attr self:infoflow2 super_w;
dontaudit da_unioned_perm_via_attr_A_t self:infoflow2 super_r;
dontaudit da_unioned_perm_via_attr_B_t self:infoflow2 hi_w;

# Neverallow rule differences
type na_matched_source;
type na_matched_target;
neverallow na_matched_source na_matched_target:infoflow hi_w;

type na_removed_rule_source;
type na_removed_rule_target;
neverallow na_removed_rule_source na_removed_rule_target:infoflow hi_r;

type na_added_rule_source;
type na_added_rule_target;

type na_modified_rule_add_perms;
neverallow na_modified_rule_add_perms self:infoflow hi_r;

type na_modified_rule_remove_perms;
neverallow na_modified_rule_remove_perms self:infoflow { low_r low_w };

type na_modified_rule_add_remove_perms;
neverallow na_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };

neverallow removed_type self:removed_class null_perm;

attribute na_match_rule_by_attr;
type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
neverallow na_match_rule_by_attr self:infoflow2 super_w;

attribute na_unioned_perm_via_attr;
type na_unioned_perm_via_attr_A_t, na_unioned_perm_via_attr;
type na_unioned_perm_via_attr_B_t, na_unioned_perm_via_attr;
neverallow na_unioned_perm_via_attr self:infoflow2 super_w;
neverallow na_unioned_perm_via_attr_A_t self:infoflow2 super_r;
neverallow na_unioned_perm_via_attr_B_t self:infoflow2 hi_w;

# type_transition rule differences
type tt_matched_source;
type tt_matched_target;
type_transition tt_matched_source tt_matched_target:infoflow system;

type tt_removed_rule_source;
type tt_removed_rule_target;
type_transition tt_removed_rule_source tt_removed_rule_target:infoflow system;

type tt_added_rule_source;
type tt_added_rule_target;

type tt_old_type;
type tt_new_type;
type_transition tt_matched_source system:infoflow tt_old_type;

type_transition removed_type system:infoflow4 system;

type tt_move_to_bool;
bool tt_move_to_bool_b false;
type_transition tt_move_to_bool system:infoflow3 system;

type tt_move_from_bool;
bool tt_move_from_bool_b false;
if (tt_move_from_bool_b) {
type_transition tt_move_from_bool system:infoflow4 system;
}

type tt_switch_block;
bool tt_switch_block_b false;
if (tt_switch_block_b) {
type_transition system tt_switch_block:infoflow5 system;
type_transition system tt_switch_block:infoflow6 system;
} else {
type_transition system tt_switch_block:infoflow7 system;
}

attribute tt_match_rule_by_attr;
type tt_match_rule_by_attr_A_t, tt_match_rule_by_attr;
type tt_match_rule_by_attr_B_t, tt_match_rule_by_attr;
type_transition tt_match_rule_by_attr system:infoflow2 system;

attribute tt_unioned_perm_via_attr;
type tt_unioned_perm_via_attr_A_t, tt_unioned_perm_via_attr;
type tt_unioned_perm_via_attr_B_t, tt_unioned_perm_via_attr;
type_transition tt_unioned_perm_via_attr system:infoflow2 system;
type_transition tt_unioned_perm_via_attr_A_t system:infoflow2 system;
type_transition tt_unioned_perm_via_attr_B_t system:infoflow2 system;

# type_change rule differences
type tc_matched_source;
type tc_matched_target;
type_change tc_matched_source tc_matched_target:infoflow system;

type tc_removed_rule_source;
type tc_removed_rule_target;
type_change tc_removed_rule_source tc_removed_rule_target:infoflow system;

type tc_added_rule_source;
type tc_added_rule_target;

type tc_old_type;
type tc_new_type;
type_change tc_matched_source system:infoflow tc_old_type;

type_change removed_type system:infoflow4 system;

type tc_move_to_bool;
bool tc_move_to_bool_b false;
type_change tc_move_to_bool system:infoflow3 system;

type tc_move_from_bool;
bool tc_move_from_bool_b false;
if (tc_move_from_bool_b) {
type_change tc_move_from_bool system:infoflow4 system;
}

type tc_switch_block;
bool tc_switch_block_b false;
if (tc_switch_block_b) {
type_change system tc_switch_block:infoflow5 system;
type_change system tc_switch_block:infoflow6 system;
} else {
type_change system tc_switch_block:infoflow7 system;
}

attribute tc_match_rule_by_attr;
type tc_match_rule_by_attr_A_t, tc_match_rule_by_attr;
type tc_match_rule_by_attr_B_t, tc_match_rule_by_attr;
type_change tc_match_rule_by_attr system:infoflow2 system;

attribute tc_unioned_perm_via_attr;
type tc_unioned_perm_via_attr_A_t, tc_unioned_perm_via_attr;
type tc_unioned_perm_via_attr_B_t, tc_unioned_perm_via_attr;
type_change tc_unioned_perm_via_attr system:infoflow2 system;
type_change tc_unioned_perm_via_attr_A_t system:infoflow2 system;
type_change tc_unioned_perm_via_attr_B_t system:infoflow2 system;

# type_member rule differences
type tm_matched_source;
type tm_matched_target;
type_member tm_matched_source tm_matched_target:infoflow system;

type tm_removed_rule_source;
type tm_removed_rule_target;
type_member tm_removed_rule_source tm_removed_rule_target:infoflow system;

type tm_added_rule_source;
type tm_added_rule_target;

type tm_old_type;
type tm_new_type;
type_member tm_matched_source system:infoflow tm_old_type;

type_member removed_type system:infoflow4 system;

type tm_move_to_bool;
bool tm_move_to_bool_b false;
type_member tm_move_to_bool system:infoflow3 system;

type tm_move_from_bool;
bool tm_move_from_bool_b false;
if (tm_move_from_bool_b) {
type_member tm_move_from_bool system:infoflow4 system;
}

type tm_switch_block;
bool tm_switch_block_b false;
if (tm_switch_block_b) {
type_member system tm_switch_block:infoflow5 system;
type_member system tm_switch_block:infoflow6 system;
} else {
type_member system tm_switch_block:infoflow7 system;
}

attribute tm_match_rule_by_attr;
type tm_match_rule_by_attr_A_t, tm_match_rule_by_attr;
type tm_match_rule_by_attr_B_t, tm_match_rule_by_attr;
type_member tm_match_rule_by_attr system:infoflow2 system;

attribute tm_unioned_perm_via_attr;
type tm_unioned_perm_via_attr_A_t, tm_unioned_perm_via_attr;
type tm_unioned_perm_via_attr_B_t, tm_unioned_perm_via_attr;
type_member tm_unioned_perm_via_attr system:infoflow2 system;
type_member tm_unioned_perm_via_attr_A_t system:infoflow2 system;
type_member tm_unioned_perm_via_attr_B_t system:infoflow2 system;

# range_transition rule differences
type rt_matched_source;
type rt_matched_target;
range_transition rt_matched_source rt_matched_target:infoflow s0;

type rt_removed_rule_source;
type rt_removed_rule_target;
range_transition rt_removed_rule_source rt_removed_rule_target:infoflow s1;

type rt_added_rule_source;
type rt_added_rule_target;

range_transition rt_matched_source system:infoflow s2:c0 - s3:c0.c2;

range_transition removed_type system:infoflow4 s1;

# range transitions cannot be conditional.
#type rt_move_to_bool;
#bool rt_move_to_bool_b false;
#range_transition rt_move_to_bool system:infoflow3 s0;

#type rt_move_from_bool;
#bool rt_move_from_bool_b false;
#if (rt_move_from_bool_b) {
#range_transition rt_move_from_bool system:infoflow4 s0;
#}

#type rt_switch_block;
#bool rt_switch_block_b false;
#if (rt_switch_block_b) {
#range_transition system rt_switch_block:infoflow5 s0;
#range_transition system rt_switch_block:infoflow6 s0;
#} else {
#range_transition system rt_switch_block:infoflow7 s0;
#}

attribute rt_match_rule_by_attr;
type rt_match_rule_by_attr_A_t, rt_match_rule_by_attr;
type rt_match_rule_by_attr_B_t, rt_match_rule_by_attr;
range_transition rt_match_rule_by_attr system:infoflow2 s0;

attribute rt_unioned_perm_via_attr;
type rt_unioned_perm_via_attr_A_t, rt_unioned_perm_via_attr;
type rt_unioned_perm_via_attr_B_t, rt_unioned_perm_via_attr;
range_transition rt_unioned_perm_via_attr system:infoflow2 s0;
range_transition rt_unioned_perm_via_attr_A_t system:infoflow2 s0;

# role allow
role matched_source_r;
role matched_target_r;
allow matched_source_r matched_target_r;

role removed_rule_source_r;
role removed_rule_target_r;
allow removed_rule_source_r removed_rule_target_r;

role added_rule_source_r;
role added_rule_target_r;

allow removed_role system;

# role_transition
role role_tr_matched_source;
type role_tr_matched_target;
role_transition role_tr_matched_source role_tr_matched_target:infoflow system;

role role_tr_removed_rule_source;
type role_tr_removed_rule_target;
role_transition role_tr_removed_rule_source role_tr_removed_rule_target:infoflow5 system;

role role_tr_added_rule_source;
type role_tr_added_rule_target;

role_transition removed_role system:infoflow4 system;

role role_tr_old_role;
role role_tr_new_role;
role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_old_role;

# Allowxperm rule differences
type ax_matched_source;
type ax_matched_target;
allowxperm ax_matched_source ax_matched_target:infoflow ioctl 0x0001;

type ax_removed_rule_source;
type ax_removed_rule_target;
allowxperm ax_removed_rule_source ax_removed_rule_target:infoflow ioctl 0x0002;

type ax_added_rule_source;
type ax_added_rule_target;

type ax_modified_rule_add_perms;
allowxperm ax_modified_rule_add_perms self:infoflow ioctl 0x0004;

type ax_modified_rule_remove_perms;
allowxperm ax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };

type ax_modified_rule_add_remove_perms;
allowxperm ax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };

allowxperm removed_type self:infoflow7 ioctl 0x0009;

attribute ax_match_rule_by_attr;
type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr;
type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
allowxperm ax_match_rule_by_attr self:infoflow2 ioctl 0x000a;

attribute ax_unioned_perm_via_attr;
type ax_unioned_perm_via_attr_A_t, ax_unioned_perm_via_attr;
type ax_unioned_perm_via_attr_B_t, ax_unioned_perm_via_attr;
allowxperm ax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
allowxperm ax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
allowxperm ax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;

# Auditallowxperm rule differences
type aax_matched_source;
type aax_matched_target;
auditallowxperm aax_matched_source aax_matched_target:infoflow ioctl 0x0001;

type aax_removed_rule_source;
type aax_removed_rule_target;
auditallowxperm aax_removed_rule_source aax_removed_rule_target:infoflow ioctl 0x0002;

type aax_added_rule_source;
type aax_added_rule_target;

type aax_modified_rule_add_perms;
auditallowxperm aax_modified_rule_add_perms self:infoflow ioctl 0x0004;

type aax_modified_rule_remove_perms;
auditallowxperm aax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };

type aax_modified_rule_add_remove_perms;
auditallowxperm aax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };

auditallowxperm removed_type self:infoflow7 ioctl 0x0009;

attribute aax_match_rule_by_attr;
type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr;
type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
auditallowxperm aax_match_rule_by_attr self:infoflow2 ioctl 0x000a;

attribute aax_unioned_perm_via_attr;
type aax_unioned_perm_via_attr_A_t, aax_unioned_perm_via_attr;
type aax_unioned_perm_via_attr_B_t, aax_unioned_perm_via_attr;
auditallowxperm aax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
auditallowxperm aax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
auditallowxperm aax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;

# Neverallowxperm rule differences
type nax_matched_source;
type nax_matched_target;
neverallowxperm nax_matched_source nax_matched_target:infoflow ioctl 0x0001;

type nax_removed_rule_source;
type nax_removed_rule_target;
neverallowxperm nax_removed_rule_source nax_removed_rule_target:infoflow ioctl 0x0002;

type nax_added_rule_source;
type nax_added_rule_target;

type nax_modified_rule_add_perms;
neverallowxperm nax_modified_rule_add_perms self:infoflow ioctl 0x0004;

type nax_modified_rule_remove_perms;
neverallowxperm nax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };

type nax_modified_rule_add_remove_perms;
neverallowxperm nax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };

neverallowxperm removed_type self:infoflow7 ioctl 0x0009;

attribute nax_match_rule_by_attr;
type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr;
type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
neverallowxperm nax_match_rule_by_attr self:infoflow2 ioctl 0x000a;

attribute nax_unioned_perm_via_attr;
type nax_unioned_perm_via_attr_A_t, nax_unioned_perm_via_attr;
type nax_unioned_perm_via_attr_B_t, nax_unioned_perm_via_attr;
neverallowxperm nax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
neverallowxperm nax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
neverallowxperm nax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;

# Dontauditxperm rule differences
type dax_matched_source;
type dax_matched_target;
dontauditxperm dax_matched_source dax_matched_target:infoflow ioctl 0x0001;

type dax_removed_rule_source;
type dax_removed_rule_target;
dontauditxperm dax_removed_rule_source dax_removed_rule_target:infoflow ioctl 0x0002;

type dax_added_rule_source;
type dax_added_rule_target;

type dax_modified_rule_add_perms;
dontauditxperm dax_modified_rule_add_perms self:infoflow ioctl 0x0004;

type dax_modified_rule_remove_perms;
dontauditxperm dax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };

type dax_modified_rule_add_remove_perms;
dontauditxperm dax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };

dontauditxperm removed_type self:infoflow7 ioctl 0x0009;

attribute dax_match_rule_by_attr;
type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr;
type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
dontauditxperm dax_match_rule_by_attr self:infoflow2 ioctl 0x000a;

attribute dax_unioned_perm_via_attr;
type dax_unioned_perm_via_attr_A_t, dax_unioned_perm_via_attr;
type dax_unioned_perm_via_attr_B_t, dax_unioned_perm_via_attr;
dontauditxperm dax_unioned_perm_via_attr self:infoflow2 ioctl 0x000b;
dontauditxperm dax_unioned_perm_via_attr_A_t self:infoflow2 ioctl 0x000c;
dontauditxperm dax_unioned_perm_via_attr_B_t self:infoflow2 ioctl 0x000d;

################################################################################
# matching typebounds
type match_parent;
type match_child;
typebounds match_parent match_child;

# removed typebounds
type removed_parent;
type removed_child;
typebounds removed_parent removed_child;

# added typebounds
type added_parent;
type added_child;

# modified typebounds
type mod_parent_removed;
type mod_parent_added;
type mod_child;
typebounds mod_parent_removed mod_child;

# policycaps
policycap open_perms;
policycap network_peer_controls;

#users
user system roles system level s0 range s0;

user removed_user roles system level s0 range s0;

user modified_add_role roles system level s2 range s2;
user modified_remove_role roles { system removed_role } level s2 range s2;
user modified_change_level roles system level s2:c0 range s2:c0 - s2:c0,c1;
user modified_change_range roles system level s3:c1 range s3:c1 - s3:c1.c3;

# matching constraints
constrain infoflow hi_w (u1 == u2 or t1 == system);
constrain infoflow hi_w (t1 == t2 or t1 == system);
constrain infoflow hi_r (r1 == r2 or t1 == system);

# added constraint

# removed constraint
constrain infoflow4 hi_w (u1 != u2);

# remove/add constraint (expression change)
constrain infoflow5 hi_r ((u1 == u2 and r1 == r2) or (t1 == system));

# matching validatetrans
validatetrans infoflow (u1 == u2 or t3 == system);
validatetrans infoflow (r1 == r2 or t3 == system);
validatetrans infoflow2 (u1 == u2 or t3 == system);

# added validatetrans

# removed validatetrans
validatetrans infoflow4 (u1 == u2 or t3 == system);

# remove/add validatetrans (expression change)
validatetrans infoflow5 ((u1 == u2 and r1 != r2) or (t3 == system));

#isids
sid kernel system:system:system:s0
sid security system:system:system:s0
sid matched_sid system:system:system:s0
sid removed_sid removed_user:system:system:s0
sid modified_sid system:system:system:s0

#fs_use
fs_use_trans devpts system:object_r:system:s0;
fs_use_xattr ext3 system:object_r:system:s0;
fs_use_task pipefs system:object_r:system:s0;
fs_use_task removed_fsuse system:object_r:system:s0;
fs_use_trans modified_fsuse removed_user:object_r:system:s0;

#genfscon
genfscon proc / system:object_r:system:s0
genfscon proc /sys system:object_r:system:s0
genfscon selinuxfs / system:object_r:system:s0
genfscon removed_genfs / system:object_r:system:s0
genfscon change_path /old system:object_r:system:s0
genfscon modified_genfs / -s removed_user:object_r:system:s0

# matched portcons
portcon tcp 80 system:object_r:system:s0
portcon udp 80 system:object_r:system:s0
portcon udp 30-40 system:object_r:system:s0

# removed portcons
portcon udp 1024 system:object_r:system:s0
portcon tcp 1024-1026 system:object_r:system:s0

# modified portcons
portcon udp 3024 removed_user:object_r:system:s0
portcon tcp 3024-3026 removed_user:object_r:system:s0

netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
netifcon removed_netif system:object_r:system:s0 system:object_r:system:s0
netifcon mod_ctx_netif removed_user:object_r:system:s0 system:object_r:system:s0
netifcon mod_pkt_netif system:object_r:system:s0 removed_user:object_r:system:s0
netifcon mod_both_netif removed_user:object_r:system:s0 removed_user:object_r:system:s0

# matched nodecons
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0

# removed nodecons
nodecon 127.0.0.2 255.255.255.255 removed_user:object_r:system:s0
nodecon ::2 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff removed_user:object_r:system:s0

# modified nodecons
nodecon 127.0.0.3 255.255.255.255 modified_change_level:object_r:system:s2:c1
nodecon ::3 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff modified_change_level:object_r:system:s2:c0,c1

# change netmask (add/remove)
nodecon 127.0.0.5 255.255.255.255 system:object_r:system:s0
nodecon ::5 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0