# handle_unknown deny
class CLASS1
class CLASS2
class CLASS3
class dir
class file
class process
sid kernel
common COMMON1 { CPERM1 }
class CLASS1 { PERM1 }
class CLASS2 inherits COMMON1
class CLASS3 inherits COMMON1 { PERM1 }
default_user { CLASS1 } source;
default_role { CLASS2 } target;
default_type { CLASS3 } source;
attribute ATTR1;
attribute ATTR2;
expandattribute ATTR1 true;
expandattribute ATTR2 false;
type TYPE1;
type TYPE2, ATTR1;
type TYPE3 alias { TYPEALIAS3A TYPEALIAS3B };
type TYPE4 alias TYPEALIAS4, ATTR2;
typealias TYPE1 alias TYPEALIAS1;
typeattribute TYPE1 ATTR1;
typebounds TYPE4 TYPE3;
bool BOOL1 true;
tunable TUNABLE1 false;
tunable TUNABLE2 true;
type_transition TYPE1 TYPE2 : CLASS1 TYPE3;
type_transition { TYPE1 TYPE2 } { TYPE3 TYPE4 } : CLASS1 TYPE1 "FILENAME";
type_member TYPE1 TYPE2 : CLASS1 TYPE2;
type_change TYPE1 TYPE2 : CLASS1 TYPE3;
allow TYPE1 self : CLASS1 { PERM1 };
auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 };
dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 };
neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 };
permissive TYPE1;
attribute_role ROLE_ATTR1;
role ROLE1;
role ROLE3;
role ROLE2, ROLE_ATTR1;
role_transition ROLE1 TYPE1 ROLE2;
role_transition ROLE1 TYPE1 : CLASS1 ROLE2;
allow ROLE1 ROLE2;
roleattribute ROLE3 ROLE_ATTR1;
role ROLE1 types { TYPE1 };
if ! BOOL1 { allow TYPE1 self: CLASS1 *; }
if TUNABLE1 xor TUNABLE2 { allow TYPE1 self: CLASS2 *; } else { allow TYPE1 self: CLASS3 *; }
optional { require { class CLASS2 { CPERM1 }; } allow TYPE1 self: CLASS2 *; }
policycap open_perms;
user USER1 roles ROLE1;
constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
validatetrans CLASS2 sameuser and t3 == ATTR1;
sid kernel USER1:ROLE1:TYPE1
pirqcon 13 USER1:ROLE1:TYPE1
iomemcon 13 USER1:ROLE1:TYPE1
iomemcon 23-31 USER1:ROLE1:TYPE1
ioportcon 13 USER1:ROLE1:TYPE1
ioportcon 23-31 USER1:ROLE1:TYPE1
pcidevicecon 13 USER1:ROLE1:TYPE1
devicetreecon "/path/to/device" USER1:ROLE1:TYPE1