class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
class process

sid kernel
sid security

common infoflow
{
	low_w
	med_w
	hi_w
	low_r
	med_r
	hi_r
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
	super_w
	super_r
}

class infoflow3
{
	null
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
	super_w
	super_r
	super_none
	super_both
	super_unmapped
}

class process
inherits infoflow
{
    transition
}

sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;

dominance { low_s med high_s }

category here;
category there;
category elsewhere alias lost;

#level decl
level low_s:here.there;
level med:here, elsewhere;
level high_s:here.lost;

#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;

type system;
role system;
role system types system;

################################################################################
# RBAC

# test 1
# ruletype: unset
# source: test1s, direct, no regex
# target: unset
# class: unset
# default: unset
role test1s;
role test1t;
allow test1s test1t;
role_transition test1s system:infoflow test1t;

# test 2
# ruletype: unset
# source: test2s, direct, regex
# target: unset
# class: unset
# default: unset
role test2s1;
role test2s2;
role test2s3;
role test2t;
allow test2s1 test2t;
role_transition test2s3 system:infoflow test2t;

# test 10
# ruletype: unset
# source: unset
# target: test10t, direct, no regex
# class: unset
# default: unset
role test10s;
role test10t;
allow test10s test10t;
role_transition test10s system:infoflow test10t;

# test 11
# ruletype: unset
# source: unset
# target: test11t(1|3), direct, regex
# class: unset
# default: unset
role test11s;
role test11t1;
role test11t2;
role test11t3;
allow test11s test11t1;
role_transition test11s system:infoflow test11t3;

# test 20
# ruletype: unset
# source: unset
# target: unset
# class: infoflow2, no regex
# default: unset
role test20;
role test20d1;
role test20d2;
role_transition test20 system:infoflow test20d1;
role_transition test20 system:infoflow2 test20d2;

# test 21
# ruletype: unset
# source: unset
# target: unset
# class: infoflow3,infoflow4 , no regex
# default: unset
role test21;
role test21d1;
role test21d2;
role test21d3;
role_transition test21 system:infoflow test21d1;
role_transition test21 system:infoflow4 test21d2;
role_transition test21 system:infoflow3 test21d3;

# test 22
# ruletype: unset
# source: unset
# target: unset
# class: infoflow(5|6), regex
# default: unset
role test22;
role test22d1;
role test22d2;
role test22d3;
role_transition test22 system:infoflow test22d1;
role_transition test22 system:infoflow5 test22d2;
role_transition test22 system:infoflow6 test22d3;

# test 30
# ruletype: unset
# source: unset
# target: unset
# class: unset
# default: test30d, no regex
role test30s;
role test30d;
allow test30s test30d;
role_transition test30s system:infoflow test30d;

# test 31
# ruletype: unset
# source: unset
# target: unset
# class: unset
# default: test31d(2|3), regex
role test31s;
role test31d1;
role test31d2;
role test31d3;
allow test31s test31d1;
allow test31s test31d2;
allow test31s test31d3;
role_transition test31s system:infoflow test31d1;
role_transition test31s system test31d2;
role_transition test31s system:infoflow7 test31d3;

################################################################################

#users
user system roles system level med range low_s - high_s:here.lost;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:medium_s:here
sid security system:system:system:high_s:lost

#fs_use
fs_use_trans devpts system:object_r:system:low_s;
fs_use_xattr ext3 system:object_r:system:low_s;
fs_use_task pipefs system:object_r:system:low_s;

#genfscon
genfscon proc / system:object_r:system:med
genfscon proc /sys system:object_r:system:low_s
genfscon selinuxfs / system:object_r:system:high_s:here.there

portcon tcp 80 system:object_r:system:low_s

netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s

nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here