# handle_unknown deny
class CLASS1
class CLASS2
class CLASS3
class dir
class file
class process
sid kernel
common COMMON1 { CPERM1 }
class CLASS1 { PERM1 ioctl }
class CLASS2 inherits COMMON1
class CLASS3 inherits COMMON1 { PERM1 }
default_user { CLASS1 } source;
default_role { CLASS2 } target;
default_type { CLASS3 } source;
policycap open_perms;
attribute ATTR1;
attribute ATTR2;
bool BOOL1 true;
type TYPE1;
type TYPE2;
type TYPE3;
type TYPE4;
typealias TYPE1 alias TYPEALIAS1;
typealias TYPE3 alias TYPEALIAS3A;
typealias TYPE3 alias TYPEALIAS3B;
typealias TYPE4 alias TYPEALIAS4;
typebounds TYPE4 TYPE3;
typeattribute TYPE4 ATTR2;
permissive TYPE1;
allow TYPE1 self:CLASS1 { PERM1 };
allow TYPE1 self:CLASS2 { CPERM1 };
auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
type_transition TYPE1 TYPE2:CLASS1 TYPE3;
type_member TYPE1 TYPE2:CLASS1 TYPE2;
type_change TYPE1 TYPE2:CLASS1 TYPE3;
type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
if (BOOL1) {
} else {
    allow TYPE1 self:CLASS1 { PERM1 ioctl };
}
role ROLE1;
role ROLE2;
role ROLE3;
role ROLE1 types { TYPE1 };
role_transition ROLE1 TYPE1:CLASS1 ROLE2;
role_transition ROLE1 TYPE1:process ROLE2;
allow ROLE1 ROLE2;
user USER1 roles ROLE1;
constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
sid kernel USER1:ROLE1:TYPE1
fs_use_xattr btrfs USER1:ROLE1:TYPE1;
fs_use_trans devpts USER1:ROLE1:TYPE1;
fs_use_task pipefs USER1:ROLE1:TYPE1;
genfscon proc "/" -d USER1:ROLE1:TYPE1
genfscon proc "/file1" -- USER1:ROLE1:TYPE1
genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
portcon tcp 80 USER1:ROLE1:TYPE1
portcon udp 100-200 USER1:ROLE1:TYPE1
netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1
ibpkeycon fe80:: 65535 USER1:ROLE1:TYPE1
ibpkeycon fe80:: 0-16 USER1:ROLE1:TYPE1
ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1
ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1