class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7

sid kernel
sid security

common infoflow
{
	low_w
	med_w
	hi_w
	low_r
	med_r
	hi_r
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
	super_w
	super_r
}

class infoflow3
{
	null
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
	super_w
	super_r
	super_none
	super_both
	super_unmapped
}

sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s40;
sensitivity s41;
sensitivity s42;
sensitivity s43;
sensitivity s44;
sensitivity s45;
sensitivity s46;

dominance { s0 s1 s2 s3 s40 s41 s42 s43 s44 s45 s46 }

category c0;
category c1;
category c2;
category c3;
category c4;

#level decl
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s40:c0.c4;
level s41:c0.c4;
level s42:c0.c4;
level s43:c0.c4;
level s44:c0.c4;
level s45:c0.c4;
level s46:c0.c4;

#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;

type system;
role system;
role system types system;

################################################################################
# Type enforcement declarations and rules

allow system system:infoflow3 null;

########################################
#
# MLS Rule Query
#

# test 1
# ruletype: unset
# source: test1a, direct, no regex
# target: unset
# class: unset
# range: unset
attribute test1a;
type test1s, test1a;
type test1t;
type test1FAIL, test1a;
range_transition test1a test1t:infoflow s0;
range_transition test1FAIL test1FAIL:infoflow s1;

# test 2
# ruletype: unset
# source: test2s, indirect, no regex
# target: unset
# class: unset
# range: unset
attribute test2a;
type test2s, test2a;
type test2t;
range_transition test2a test2t:infoflow s0;
#range_transition test2s test2t:infoflow s1;

# test 3
# ruletype: unset
# source: test3a.*, direct, regex
# target: unset
# class: unset
# range: unset
attribute test3aS;
attribute test3b;
type test3s, test3aS;
type test3t;
type test3aFAIL, test3b;
range_transition test3s  test3t:infoflow s1;
range_transition test3aS test3t:infoflow2 s2;
range_transition test3b  test3t:infoflow s3;

# test 4
# ruletype: unset
# source: test4(s|t), indirect, regex
# target: unset
# class: unset
# range: unset
attribute test4a1;
attribute test4a2;
type test4s1, test4a1;
type test4t1, test4a2;
type test4FAIL;
range_transition test4a1 test4a1:infoflow s1;
range_transition test4a2 test4a2:infoflow2 s2;
range_transition test4FAIL test4FAIL:infoflow s3;

# test 5
# https://github.com/TresysTechnology/setools/issues/111
# Fix search with source criteria that is an attribute, indirect match
#
# ruletype: unset
# source: test5b, indirect
# target: unset
# class: unset
# default: unset
# boolean: unset
attribute test5a;
attribute test5b;
type test5t1, test5a, test5b;
type test5t2, test5b;
type test5target;
range_transition test5t1 test5target:infoflow s1;
range_transition test5t2 test5target:infoflow7 s2;

# test 10
# ruletype: unset
# source: unset
# target: test10a, direct, no regex
# class: unset
# range: unset
attribute test10a;
type test10s;
type test10t, test10a;
range_transition test10s test10a:infoflow s0;
range_transition test10s test10t:infoflow2 s1;

# test 11
# ruletype: unset
# source: unset
# target: test11t, indirect, no regex
# class: unset
# range: unset
attribute test11a;
type test11s;
type test11t, test11a;
range_transition test11s test11a:infoflow s0;
range_transition test11s test11t:infoflow2 s1;

# test 12
# ruletype: unset
# source: unset
# target: test12a.*, direct, regex
# class: unset
# range: unset
attribute test12aPASS;
attribute test12b;
type test12s;
type test12t, test12aPASS;
type test12aFAIL, test12b;
range_transition test12s  test12t:infoflow s0;
range_transition test12s test12aPASS:infoflow2 s1;
range_transition test12s  test12b:infoflow s2;

# test 13
# ruletype: unset
# source: unset
# target: test13(s|t), indirect, regex
# class: unset
# range: unset
attribute test13a1;
attribute test13a2;
type test13s1, test13a1;
type test13t1, test13a2;
type test13FAIL;
range_transition test13a1 test13a1:infoflow s0;
range_transition test13a2 test13a2:infoflow s1;
range_transition test13FAIL test13FAIL:infoflow s2;

# test 14
# https://github.com/TresysTechnology/setools/issues/111
# Fix search with target criteria that is an attribute, indirect match
#
# ruletype: unset
# source: test14b, indirect
# target: unset
# class: unset
# default: unset
# boolean: unset
attribute test14a;
attribute test14b;
type test14t1, test14a, test14b;
type test14t2, test14b;
type test14source;
range_transition test14source test14t1:infoflow s1;
range_transition test14source test14t2:infoflow7 s2;

# test 20
# ruletype: unset
# source: unset
# target: unset
# class: infoflow2, no regex
# range: unset
type test20;
range_transition test20 test20:infoflow s0;
range_transition test20 test20:infoflow7 s1;

# test 21
# ruletype: unset
# source: unset
# target: unset
# class: infoflow3,infoflow4 , no regex
# range: unset
type test21;
range_transition test21 test21:infoflow s0;
range_transition test21 test21:infoflow4 s1;
range_transition test21 test21:infoflow3 s2;

# test 22
# ruletype: unset
# source: unset
# target: unset
# class: infoflow(5|6), regex
# range: unset
type test22;
range_transition test22 test22:infoflow s0;
range_transition test22 test22:infoflow5 s1;
range_transition test22 test22:infoflow6 s2;

# test 40:
# ruletype: unset
# source: unset
# target: unset
# class: unset
# range: equal
type test40;
range_transition test40 test40:infoflow s40:c1 - s40:c0.c4;

# test 41:
# ruletype: unset
# source: unset
# target: unset
# class: unset
# range: overlap
type test41;
range_transition test41 test41:infoflow s41:c1 - s41:c1.c3;

# test 42:
# ruletype: unset
# source: unset
# target: unset
# class: unset
# range: subset
type test42;
range_transition test42 test42:infoflow s42:c1 - s42:c1.c3;

# test 43:
# ruletype: unset
# source: unset
# target: unset
# class: unset
# range: superset
type test43;
range_transition test43 test43:infoflow s43:c1 - s43:c1.c3;

# test 44:
# ruletype: unset
# source: unset
# target: unset
# class: unset
# range: proper subset
type test44;
range_transition test44 test44:infoflow s44:c1 - s44:c1.c3;

# test 45:
# ruletype: unset
# source: unset
# target: unset
# class: unset
# range: proper superset
type test45;
range_transition test45 test45:infoflow s45:c1 - s45:c1.c3;

################################################################################

#users
user system roles system level s0 range s0 - s46:c0.c4;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:s0
sid security system:system:system:s0

#fs_use
fs_use_trans devpts system:object_r:system:s0;
fs_use_xattr ext3 system:object_r:system:s0;
fs_use_task pipefs system:object_r:system:s0;

#genfscon
genfscon proc / system:object_r:system:s0
genfscon proc /sys system:object_r:system:s0
genfscon selinuxfs / system:object_r:system:s0

portcon tcp 80 system:object_r:system:s0

netifcon eth0 system:object_r:system:s0 system:object_r:system:s0

nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0