# handle_unknown deny
class CLASS1
class CLASS2
class CLASS3
class dir
class file
class process
sid xen
common COMMON1 { CPERM1 }
class CLASS1 { PERM1 }
class CLASS2 inherits COMMON1
class CLASS3 inherits COMMON1 { PERM1 }
default_user { CLASS1 } source;
default_role { CLASS2 } target;
default_type { CLASS3 } source;
policycap open_perms;
attribute ATTR1;
attribute ATTR2;
bool BOOL1 true;
type TYPE1;
type TYPE2;
type TYPE3;
type TYPE4;
typealias TYPE1 alias TYPEALIAS1;
typealias TYPE3 alias TYPEALIAS3A;
typealias TYPE3 alias TYPEALIAS3B;
typealias TYPE4 alias TYPEALIAS4;
typebounds TYPE4 TYPE3;
typeattribute TYPE4 ATTR2;
permissive TYPE1;
allow TYPE1 self:CLASS1 { PERM1 };
allow TYPE1 self:CLASS2 { CPERM1 };
auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
type_transition TYPE1 TYPE2:CLASS1 TYPE3;
type_member TYPE1 TYPE2:CLASS1 TYPE2;
type_change TYPE1 TYPE2:CLASS1 TYPE3;
type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
role ROLE1;
role ROLE2;
role ROLE3;
role ROLE1 types { TYPE1 };
role_transition ROLE1 TYPE1:CLASS1 ROLE2;
role_transition ROLE1 TYPE1:process ROLE2;
allow ROLE1 ROLE2;
user USER1 roles ROLE1;
constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
sid xen USER1:ROLE1:TYPE1
pirqcon 13 USER1:ROLE1:TYPE1
iomemcon 0xd USER1:ROLE1:TYPE1
iomemcon 0x17-0x1f USER1:ROLE1:TYPE1
ioportcon 0xd USER1:ROLE1:TYPE1
ioportcon 0x17-0x1f USER1:ROLE1:TYPE1
pcidevicecon 0xd USER1:ROLE1:TYPE1
devicetreecon "/path/to/device" USER1:ROLE1:TYPE1