class test1
class test10
class test11a
class test11b
class test11c
class test12a
class test12b
class test12c
class test20a
class test20b
class test20c
class test21a
class test21b
class test21c
class test30
class test31a
class test31b
class test40
class test41a
class test41b
class test50
class test51a
class test51b

sid kernel
sid security

common test
{
	low_w
	med_w
	hi_w
	low_r
	med_r
	hi_r
}


class test1
inherits test

class test10
inherits test

class test11a
inherits test

class test11b
inherits test

class test11c
inherits test

class test12a
inherits test

class test12b
inherits test

class test12c
inherits test

class test20a
{
    test20ap
    test20bp
}

class test20b
{
    test20ap
    test20bp
}

class test20c
{
    test20ap
    test20bp
}

class test21a
{
    test21ap
    test21bp
}

class test21b
{
    test21ap
    test21bp
}

class test21c
{
    test21ap
    test21bp
}

class test30
inherits test

class test31a
inherits test

class test31b
inherits test

class test40
inherits test

class test41a
inherits test

class test41b
inherits test

class test50
inherits test

class test51a
inherits test

class test51b
inherits test

sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;

dominance { low_s med high_s }

category here;
category there;
category elsewhere alias lost;

level low_s:here.there;
level med:here, elsewhere;
level high_s:here.lost;

# test 1:
# ruletype: mlsconstrain
# tclass: unset
# perms: unset
mlsconstrain test1 hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;

type system;
role system;
role system types system;

role test30r;
role test30r types system;

role test31ra;
role test31ra types system;
role test31rb;
role test31rb types system;

type test40t;
type test41ta;
type test41tb;

user system roles system level med range low_s - high_s:here.lost;
user test50u roles system level med range low_s - high_s:here.lost;
user test51u1 roles system level med range low_s - high_s:here.lost;
user test51u2 roles system level med range low_s - high_s:here.lost;

# test 10:
# ruletype: unset
# tclass: test10
# perms: unset
# role: unset
# type: unset
# user: unset
constrain test10 hi_w (u1 == u2);

# test 11:
# ruletype: unset
# tclass: test11a, test11b
# perms: unset
# role: unset
# type: unset
# user: unset
constrain test11a hi_w (u1 == u2);
constrain test11b hi_w (u1 == u2);
constrain test11c hi_w (u1 == u2);

# test 12:
# ruletype: unset
# tclass: intoflow12(a|c), regex
# perms: unset
# role: unset
# type: unset
# user: unset
constrain test12a hi_w (u1 == u2);
constrain test12b hi_w (u1 == u2);
constrain test12c hi_w (u1 == u2);

# test 20:
# ruletype: unset
# tclass: unset
# perms: test20ap, test20bp
# role: unset
# type: unset
# user: unset
constrain test20a test20ap (u1 == u2);
constrain test20b test20bp (u1 == u2);

# test 21:
# ruletype: unset
# tclass: unset
# perms: test21ap, test21bp, equal
# role: unset
# type: unset
# user: unset
constrain test21a test21ap (u1 == u2);
constrain test21b test21bp (u1 == u2);
constrain test21c { test21bp test21ap } (u1 == u2);

# test 30:
# ruletype: unset
# tclass: unset
# perms: unset
# role: test30r
# type: unset
# user: unset
constrain test30 hi_w (u1 == u2 or r1 == test30r);

# test 31:
# ruletype: unset
# tclass: unset
# perms: unset
# role: test31r. regex
# type: unset
# user: unset
constrain test31a hi_w (u1 == u2 or r1 == test31ra);
validatetrans test31b (u1 == u2 or r2 == test31rb);

# test 40:
# ruletype: unset
# tclass: unset
# perms: unset
# role: unset
# type: test40
# user: unset
constrain test40 hi_w (u1 == u2 or t1 == test40t);

# test 41:
# ruletype: unset
# tclass: unset
# perms: unset
# role: unset
# type: test41. regex
# user: unset
constrain test41a hi_w (u1 == u2 or t1 == test41ta);
constrain test41b hi_w (u1 == u2 or t2 == test41tb);

# test 50:
# ruletype: unset
# tclass: unset
# perms: unset
# role: unset
# type: unset
# user: test50
constrain test50 hi_w (u1 == u2 or u1 == test50u);

# test 51:
# ruletype: unset
# tclass: unset
# perms: unset
# role: unset
# type: unset
# user: test51u. regex
constrain test51a hi_w (u1 == u2 or u1 == test51u1);
constrain test51b hi_w (u1 == u2 or u2 == test51u2);

#isids
sid kernel system:system:system:medium_s:here
sid security system:system:system:high_s:lost

#fs_use
fs_use_trans devpts system:object_r:system:low_s;
fs_use_xattr ext3 system:object_r:system:low_s;
fs_use_task pipefs system:object_r:system:low_s;

#genfscon
genfscon proc / system:object_r:system:med
genfscon proc /sys system:object_r:system:low_s
genfscon selinuxfs / system:object_r:system:high_s:here.there

portcon tcp 80 system:object_r:system:low_s

netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s

nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here