# handle_unknown deny class CLASS1 class CLASS2 class CLASS3 class dir class file class process sid xen common COMMON1 { CPERM1 } class CLASS1 { PERM1 } class CLASS2 inherits COMMON1 class CLASS3 inherits COMMON1 { PERM1 } default_user { CLASS1 } source; default_role { CLASS2 } target; default_type { CLASS3 } source; policycap open_perms; attribute ATTR1; attribute ATTR2; bool BOOL1 true; type TYPE1; type TYPE2; type TYPE3; type TYPE4; typealias TYPE1 alias TYPEALIAS1; typealias TYPE3 alias TYPEALIAS3A; typealias TYPE3 alias TYPEALIAS3B; typealias TYPE4 alias TYPEALIAS4; typebounds TYPE4 TYPE3; typeattribute TYPE4 ATTR2; permissive TYPE1; allow TYPE1 self:CLASS1 { PERM1 }; allow TYPE1 self:CLASS2 { CPERM1 }; auditallow TYPE1 TYPE3:CLASS1 { PERM1 }; auditallow TYPE2 TYPE3:CLASS1 { PERM1 }; dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 }; dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 }; type_transition TYPE1 TYPE2:CLASS1 TYPE3; type_member TYPE1 TYPE2:CLASS1 TYPE2; type_change TYPE1 TYPE2:CLASS1 TYPE3; type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME"; type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME"; type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME"; type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME"; if (BOOL1) { } else { allow TYPE1 self:CLASS1 { PERM1 }; } role ROLE1; role ROLE2; role ROLE3; role ROLE1 types { TYPE1 }; role_transition ROLE1 TYPE1:CLASS1 ROLE2; role_transition ROLE1 TYPE1:process ROLE2; allow ROLE1 ROLE2; user USER1 roles ROLE1; constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2)); validatetrans CLASS2 (u1 == u2 and t3 == ATTR1); sid xen USER1:ROLE1:TYPE1 pirqcon 13 USER1:ROLE1:TYPE1 iomemcon 0xd USER1:ROLE1:TYPE1 iomemcon 0x17-0x1f USER1:ROLE1:TYPE1 ioportcon 0xd USER1:ROLE1:TYPE1 ioportcon 0x17-0x1f USER1:ROLE1:TYPE1 pcidevicecon 0xd USER1:ROLE1:TYPE1 devicetreecon "/path/to/device" USER1:ROLE1:TYPE1