Because there are many options for MLS labeling, the examples show a limited selection of statements, however there is a simple policy that will build shown in the levelrange section. Declare a sensitivity identifier in the current namespace. Multiple sensitivity statements in the policy will form an ordered list. Statement definition: Where: sensitivity The sensitivity keyword. sensitivity_id The sensitivity identifier. Example: This example declares three sensitivity identifiers: Declares a sensitivity alias identifier in the current namespace. See the sensitivityaliasactual statement for an example that associates the sensitivityalias identifier. Statement definition: Where: sensitivityalias The sensitivityalias keyword. sensitivityalias_id The sensitivityalias identifier. Example: See the sensitivityaliasactual statement. Associates a previously declared sensitivityalias identifier to a previously declared sensitivity identifier. Statement definition: Where: sensitivityaliasactual The sensitivityaliasactual keyword. sensitivityalias_id A single previously declared sensitivityalias identifier. sensitivity_id A single previously declared sensitivity identifier. Example: This example will associate sensitivity s0 with two sensitivity alias's: Define the sensitivity order - lowest to highest. Multiple sensitivityorder statements in the policy will form an ordered list. Statement definition: Where: sensitivityorder The sensitivityorder keyword. sensitivity_id One or more previously declared sensitivity or sensitivityalias identifiers.. Example: This example shows two sensitivityorder statements that when compiled will form an ordered list. Note however that the second sensitivityorder statement starts with s2 so that the ordered list can be built. Declare a category identifier in the current namespace. Multiple category statements declared in the policy will form an ordered list. Statement definition: Where: category The category keyword. category_id The category identifier. Example: This example declares a three category identifiers: Declares a category alias identifier in the current namespace. See the categoryaliasactual statement for an example that associates the categoryalias identifier. Statement definition: Where: categoryalias The categoryalias keyword. categoryalias_id The categoryalias identifier. Associates a previously declared categoryalias identifier to a previously declared category identifier. Statement definition: Where: categoryaliasactual The categoryaliasactual keyword. categoryalias_id A single previously declared categoryalias identifier. category_id A single previously declared category identifier. Example: Declares a category c0, a category alias of documents, and then associates them: Define the category order. Multiple categoryorder statements declared in the policy will form an ordered list. Note that this statement orders the categories to allow validation of category ranges. Statement definition: Where: categoryorder The categoryorder keyword. category_id One or more previously declared category or categoryalias identifiers. Example: This example orders one category alias and nine categories: Declare an identifier for a set of contiguous or non-contiguous categories in the current namespace. Notes: Category expressions are allowed in categoryset, sensitivitycategory, level, and levelrange statements. Category sets are not allowed in categoryorder statements. Statement definition: Where: categoryset The categoryset keyword. categoryset_id The categoryset identifier. category_id Zero or more previously declared category or categoryalias identifiers. Note that there must be at least one category_id identifier or expr parameter declared. expr Zero or more expr's, the valid operators and syntax are: (and (category_id ...) (category_id ...)) (or (category_id ...) (category_id ...)) (xor (category_id ...) (category_id ...)) (not (category_id ...)) (range category_id category_id) (all) Examples: These examples show a selection of categoryset statements: Associate a sensitivity identifier with one or more category's. Multiple definitions for the same sensitivity form an ordered list of categories for that sensitivity. This statement is required before a level identifier can be declared. Statement definition: Where: sensitivitycategory The sensitivitycategory keyword. sensitivity_id A single previously declared sensitivity or sensitivityalias identifier. categoryset_id A single previously declared categoryset (named or anonymous), or a list of category and/or categoryalias identifiers. The examples show each variation. Examples: These sensitivitycategory examples use a selection of category, categoryalias and categoryset's: Declare a level identifier in the current namespace and associate it to a previously declared sensitivity and zero or more categories. Note that if categories are required, then before this statement can be resolved the sensitivitycategory statement must be used to associate categories with the sensitivity. Statement definition: Where: level The level keyword. level_id The level identifier. sensitivity_id A single previously declared sensitivity or sensitivityalias identifier. categoryset_id A single previously declared categoryset (named or anonymous), or a list of category and/or categoryalias identifiers. The examples show each variation. Examples: These level examples use a selection of category, categoryalias and categoryset's: Declare a level range identifier in the current namespace and associate a current and clearance level. Statement definition: Where: levelrange The levelrange keyword. levelrange_id The levelrange identifier. low_level_id The current level specified by a previously declared level identifier. This may be formed by named or anonymous components as discussed in the level section and shown in the examples. high_level_id The clearance or high level specified by a previously declared level identifier. This may be formed by named or anonymous components as discussed in the level section and shown in the examples. Examples: This example policy shows levelrange statement and all the other MLS labeling statements discussed in this section and will compile as a standalone policy: Allows an objects level to transition to a different level. Generally used to ensure processes run with their correct MLS range, for example init would run at SystemHigh and needs to initialise / run other processes at their correct MLS range. Statement definition: Where: rangetransition The rangetransition keyword. source_type_id A single previously declared type, typealias or typeattribute identifier. target_type_id A single previously declared type, typealias or typeattribute identifier. class_id A single previously declared class or classmap identifier. new_range_id The new MLS range for the object class that is a previously declared levelrange identifier. This entry may also be defined as an anonymous or named level, sensitivity, sensitivityalias, category, categoryalias or categoryset identifier. Examples: This rule will transition the range of sshd.exec to s0 - s1:c0.c3 on execution from the init.process: This is described in the Contraints section. This is described in the Contraints section.