Specifies the access allowed between a source and target type. Note that access may be refined by constraint rules based on the source, target and class (validatetrans or mlsvalidatetrans) or source, target class and permissions (constrain or mlsconstrain statements). Rule definition: Where: allow The allow keyword. source_id A single previously defined source type, typealias or typeattribute identifier. target_id A single previously defined target type, typealias or typeattribute identifier. The self keyword may be used instead to signify that source and target are the same. classpermissionset_id A single named or anonymous classpermissionset or a single set of classmap/classmapping identifiers. Examples: These examples show a selection of possible permutations of allow rules: Audit the access rights defined if there is a valid allow rule. Note: It does NOT allow access, it only audits the event. Rule definition: Where: auditallow The auditallow keyword. source_id A single previously defined source type, typealias or typeattribute identifier. target_id A single previously defined target type, typealias or typeattribute identifier. The self keyword may be used instead to signify that source and target are the same. classpermissionset_id A single named or anonymous classpermissionset or a single set of classmap/classmapping identifiers. Example: This example will log an audit event whenever the corresponding allow rule grants access to the specified permissions: Do not audit the access rights defined when access denied. This stops excessive log entries for known events. Note that these rules can be omitted by the CIL compiler command line parameter -D or --disable-dontaudit flags. Rule definition: Where: dontaudit The dontaudit keyword. source_id A single previously defined source type, typealias or typeattribute identifier. target_id A single previously defined target type, typealias or typeattribute identifier. The self keyword may be used instead to signify that source and target are the same. classpermissionset_id A single named or anonymous classpermissionset or a single set of classmap/classmapping identifiers. Example: This example will not audit the denied access: Never allow access rights defined. This is a compiler enforced action that will stop compilation until the offending rules are modified. Note that these rules can be over-ridden by the CIL compiler command line parameter -N or --disable-neverallow flags. Rule definition: Where: neverallow The neverallow keyword. source_id A single previously defined source type, typealias or typeattribute identifier. target_id A single previously defined target type, typealias or typeattribute identifier. The self keyword may be used instead to signify that source and target are the same. classpermissionset_id A single named or anonymous classpermissionset or a single set of classmap/classmapping identifiers. Example: This example will not compile as type_3 is not allowed to be a source type for the allow rule: