# handle_unknown deny
class CLASS1
class CLASS2
class CLASS3
class dir
class file
class process
sid kernel
common COMMON1 { CPERM1 }
class CLASS1 { PERM1 ioctl }
class CLASS2 inherits COMMON1
class CLASS3 inherits COMMON1 { PERM1 }
default_user { CLASS1 } source;
default_role { CLASS2 } target;
default_type { CLASS3 } source;
sensitivity s0;
sensitivity s1;
sensitivity s2 alias SENSALIAS;
dominance { s0 s1 SENSALIAS }
category c0;
category c1 alias CATALIAS;
level s0:c0;
level s1:c0,c1;
level s2;
mlsconstrain CLASS1 { PERM1 } l1 == l2;
mlsvalidatetrans CLASS1 r1 domby r2 and l1 incomp h2;
policycap open_perms;
attribute ATTR1;
attribute ATTR2;
expandattribute ATTR1 true;
expandattribute ATTR2 false;
type TYPE1;
type TYPE2, ATTR1;
type TYPE3 alias { TYPEALIAS3A TYPEALIAS3B };
type TYPE4 alias TYPEALIAS4, ATTR2;
typealias TYPE1 alias TYPEALIAS1;
typeattribute TYPE1 ATTR1;
typebounds TYPE4 TYPE3;
bool BOOL1 true;
tunable TUNABLE1 false;
tunable TUNABLE2 true;
type_transition TYPE1 TYPE2 : CLASS1 TYPE3;
type_transition { TYPE1 TYPE2 } { TYPE3 TYPE4 } : CLASS1 TYPE1 "FILENAME";
type_member TYPE1 TYPE2 : CLASS1 TYPE2;
type_change TYPE1 TYPE2 : CLASS1 TYPE3;
range_transition TYPE1 TYPE2 : CLASS1 s1:c0.c1;
allow TYPE1 self : CLASS1 { PERM1 };
auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 };
dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 };
neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 };
allowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x1;
auditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2;
dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;
permissive TYPE1;
attribute_role ROLE_ATTR1;
role ROLE1;
role ROLE3;
role ROLE2, ROLE_ATTR1;
role_transition ROLE1 TYPE1 ROLE2;
role_transition ROLE1 TYPE1 : CLASS1 ROLE2;
allow ROLE1 ROLE2;
roleattribute ROLE3 ROLE_ATTR1;
role ROLE1 types { TYPE1 };
if ! BOOL1 { allow TYPE1 self: CLASS1 *; }
if TUNABLE1 xor TUNABLE2 { allow TYPE1 self: CLASS2 *; } else { allow TYPE1 self: CLASS3 *; }
optional { require { class CLASS2 { CPERM1 }; } allow TYPE1 self: CLASS2 *; }
user USER1 roles ROLE1 level s0 range s0 - s1:c0.c1;
constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
# sameuser will be turned into (u1 == u2)
validatetrans CLASS2 sameuser and t3 == ATTR1;
sid kernel USER1:ROLE1:TYPE1:s0 - s1:c0.c1
# fscon statements are not dumped
fscon 2 3 USER1:ROLE1:TYPE1:s0 USER1:ROLE1:TYPE1:s0
fs_use_xattr btrfs USER1:ROLE1:TYPE1:s0 - s1:c0.CATALIAS;
fs_use_trans devpts USER1:ROLE1:TYPE1:s0 - s0;
fs_use_task pipefs USER1:ROLE1:TYPE1:s0 - s1;
# paths will be turned into quoted strings
genfscon proc / -d USER1:ROLE1:TYPE1:s0
genfscon proc "/file1" -- USER1:ROLE1:TYPE1:s0
genfscon proc "/path/to/file" USER1:ROLE1:TYPE1:s0
portcon tcp 80 USER1:ROLE1:TYPE1:s0
portcon udp 100-200 USER1:ROLE1:TYPE1:s0
netifcon lo USER1:ROLE1:TYPE1:s0 USER1:ROLE1:TYPE1:s0
nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1:s0
nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1:s0
# hex numbers will be turned in decimal ones
ibpkeycon fe80:: 0xFFFF USER1:ROLE1:TYPE1:s0
ibpkeycon fe80:: 0-0x10 USER1:ROLE1:TYPE1:s0
ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1:s0
ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1:s0