class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7

sid kernel
sid security

common infoflow
{
	low_w
	med_w
	hi_w
	low_r
	med_r
	hi_r
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
	super_w
	super_r
}

class infoflow3
{
	null
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
	super_w
	super_r
	super_none
	super_both
	super_unmapped
}

sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s4;
sensitivity s5;
sensitivity s6;

dominance { s0 s1 s2 s3 s4 s5 s6 }

category c0;
category c1;
category c2;
category c3;
category c4;

#level decl
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s4:c0.c4;
level s5:c0.c4;
level s6:c0.c4;

#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;

type system;
role system;
role system types system;

role role20_r;
role role21a_r;
role role21b_r;
role role21c_r;

role role20_r types system;
role role21a_r types system;
role role21b_r types system;
role role21c_r types system;

type type30;
type type31a;
type type31b;
type type31c;
role system types { type30 type31a type31b type31c };

allow system self:infoflow hi_w;

#users
user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s6:c0.c4;
user user10 roles system level s0 range s0 - s2:c0.c4;
user user11a roles system level s0 range s0 - s2:c0.c4;
user user11b roles system level s0 range s0 - s2:c0.c4;
user user11c roles system level s0 range s0 - s2:c0.c4;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:s0
sid security system:system:system:s0

#fs_use
fs_use_trans devpts system:object_r:system:s0;
fs_use_xattr ext3 system:object_r:system:s0;
fs_use_task pipefs system:object_r:system:s0;

#genfscon
genfscon proc / system:object_r:system:s1
genfscon proc /sys system:object_r:system:s0
genfscon selinuxfs / system:object_r:system:s2:c0.c4

# test 1:
# protocol: UDP
# ports: unset
# user: unset
# role: unset
# type: unset
# range: unset
portcon udp 1 system:system:system:s0:c0.c1

# test 10:
# protocol: unset
# ports: unset
# user: user10, exact
# role: unset
# type: unset
# range: unset
portcon tcp 10 user10:system:system:s0:c0.c1

# test 11:
# protocol: unset
# ports: unset
# user: user11(a|b), regex
# role: unset
# type: unset
# range: unset
portcon tcp 11 user11a:system:system:s0:c0.c1
portcon tcp 11000 user11b:system:system:s0:c0.c1
portcon tcp 11001 user11c:system:system:s0:c0.c1

# test 20:
# protocol: unset
# ports: unset
# user: unset
# role: role20_r, exact
# type: unset
# range: unset
portcon tcp 20 system:role20_r:system:s0:c0.c1

# test 21:
# protocol: unset
# ports: unset
# user: unset
# role: role20(a|c)_r, regex
# type: unset
# range: unset
portcon tcp 21 system:role21a_r:system:s0:c0.c1
portcon tcp 21000 system:role21b_r:system:s0:c0.c1
portcon tcp 21001 system:role21c_r:system:s0:c0.c1

# test 30:
# protocol: unset
# ports: unset
# user: unset
# role: unset
# type: type30
# range: unset
portcon tcp 30 system:system:type30:s0:c0.c1

# test 31:
# protocol: unset
# ports: unset
# user: unset
# role: unset
# type: type31(b|c)
# range: unset
portcon tcp 31 system:system:type31a:s0:c0.c1
portcon tcp 31000 system:system:type31b:s0:c0.c1
portcon tcp 31001 system:system:type31c:s0:c0.c1

# test 40:
# protocol: unset
# ports: unset
# user: unset
# role: unset
# type: unset
# range: equal
portcon tcp 40 system:system:system:s0:c1 - s0:c0.c4

# test 41:
# protocol: unset
# ports: unset
# user: unset
# role: unset
# type: unset
# range: overlap
portcon tcp 41 system:system:system:s1:c1 - s1:c1.c3

# test 42:
# protocol: unset
# ports: unset
# user: unset
# role: unset
# type: unset
# range: subset
portcon tcp 42 system:system:system:s2:c1 - s2:c1.c3

# test 43:
# protocol: unset
# ports: unset
# user: unset
# role: unset
# type: unset
# range: superset
portcon tcp 43 system:system:system:s3:c1 - s3:c1.c3

# test 44:
# protocol: unset
# ports: unset
# user: unset
# role: unset
# type: unset
# range: proper subset
portcon tcp 44 system:system:system:s4:c1 - s4:c1.c3

# test 45:
# protocol: unset
# ports: unset
# user: unset
# role: unset
# type: unset
# range: proper superset
portcon tcp 45 system:system:system:s5:c1 - s5:c1.c3

# test 50:
# protocol: unset
# ports: (50, 50)
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 50 system:system:system:s0:c0.c1

# test 51:
# protocol: unset
# ports: (50100, 50110)
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 50100-50110 system:system:system:s0:c0.c1

# test 52:
# protocol: unset
# ports: (50200, 50200), subset
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 50200 system:system:system:s0:c0.c1

# test 53:
# protocol: unset
# ports: (50301, 50309), subset
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 50300-50310 system:system:system:s0:c0.c1

# test 54:
# protocol: unset
# ports: (50400, 50400), proper subset
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 50400 system:system:system:s0:c0.c1

# test 55:
# protocol: unset
# ports: (50501, 50509), proper subset
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 50500-50510 system:system:system:s0:c0.c1

# test 56:
# protocol: unset
# ports: (50600, 50602), superset
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 50601 system:system:system:s0:c0.c1

# test 57:
# protocol: unset
# ports: (50700, 50711), superset
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 50700-50710 system:system:system:s0:c0.c1

# test 58:
# protocol: unset
# ports: (50600, 50602), proper superset
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 50801 system:system:system:s0:c0.c1

# test 59:
# protocol: unset
# ports: (50900, 50911), proper superset
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 50901-50910 system:system:system:s0:c0.c1

# test 60:
# protocol: unset
# ports: (60001, 60001), overlap
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 60001 system:system:system:s0:c0.c1

# test 61:
# protocol: unset
# ports: (60100, 60105), overlap
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 60101-60110 system:system:system:s0:c0.c1

# test 62:
# protocol: unset
# ports: (60205, 60211), overlap
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 60200-60210 system:system:system:s0:c0.c1

# test 63:
# protocol: unset
# ports: (60305, 60308), overlap
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 60300-60310 system:system:system:s0:c0.c1

# test 64:
# protocol: unset
# ports: (60400, 60410), overlap
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 60400-60410 system:system:system:s0:c0.c1

# test 65:
# protocol: unset
# ports: (60500, 60510), overlap
# user: unset
# role: unset
# type: unset
# range: unset
portcon tcp 60501-60509 system:system:system:s0:c0.c1

netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0