diff --git a/tests/diff.py b/tests/diff.py
index f418700..7c38efd 100644
--- a/tests/diff.py
+++ b/tests/diff.py
@@ -1616,3 +1616,349 @@ class PolicyDifferenceTestNoDiff(unittest.TestCase):
def test_modified_properties(self):
"""NoDiff: no modified properties."""
self.assertFalse(self.diff.modified_properties)
+
+
+class PolicyDifferenceTestMLStoStandard(unittest.TestCase):
+
+ """
+ Policy difference test between MLS and standard (non-MLS) policy.
+
+ The left policy is an MLS policy. The right policy is identical to the
+ left policy, except with MLS disabled.
+ """
+
+ @classmethod
+ def setUpClass(cls):
+ cls.diff = PolicyDifference(SELinuxPolicy("tests/diff_left.conf"),
+ SELinuxPolicy("tests/diff_left_standard.conf"))
+
+ def test_added_types(self):
+ """MLSvsStandardDiff: no added types"""
+ self.assertFalse(self.diff.added_types)
+
+ def test_removed_types(self):
+ """MLSvsStandardDiff: no removed types"""
+ self.assertFalse(self.diff.removed_types)
+
+ def test_modified_types(self):
+ """MLSvsStandardDiff: no modified types"""
+ self.assertFalse(self.diff.modified_types)
+
+ def test_added_roles(self):
+ """MLSvsStandardDiff: no added roles."""
+ self.assertFalse(self.diff.added_roles)
+
+ def test_removed_roles(self):
+ """MLSvsStandardDiff: no removed roles."""
+ self.assertFalse(self.diff.removed_roles)
+
+ def test_modified_roles(self):
+ """MLSvsStandardDiff: no modified roles."""
+ self.assertFalse(self.diff.modified_roles)
+
+ def test_added_commons(self):
+ """MLSvsStandardDiff: no added commons."""
+ self.assertFalse(self.diff.added_commons)
+
+ def test_removed_commons(self):
+ """MLSvsStandardDiff: no removed commons."""
+ self.assertFalse(self.diff.removed_commons)
+
+ def test_modified_commons(self):
+ """MLSvsStandardDiff: no modified commons."""
+ self.assertFalse(self.diff.modified_commons)
+
+ def test_added_classes(self):
+ """MLSvsStandardDiff: no added classes."""
+ self.assertFalse(self.diff.added_classes)
+
+ def test_removed_classes(self):
+ """MLSvsStandardDiff: no removed classes."""
+ self.assertFalse(self.diff.removed_classes)
+
+ def test_modified_classes(self):
+ """MLSvsStandardDiff: no modified classes."""
+ self.assertFalse(self.diff.modified_classes)
+
+ def test_added_allows(self):
+ """MLSvsStandardDiff: no added allow rules."""
+ self.assertFalse(self.diff.added_allows)
+
+ def test_removed_allows(self):
+ """MLSvsStandardDiff: no removed allow rules."""
+ self.assertFalse(self.diff.removed_allows)
+
+ def test_modified_allows(self):
+ """MLSvsStandardDiff: no modified allow rules."""
+ self.assertFalse(self.diff.modified_allows)
+
+ def test_added_auditallows(self):
+ """MLSvsStandardDiff: no added auditallow rules."""
+ self.assertFalse(self.diff.added_auditallows)
+
+ def test_removed_auditallows(self):
+ """MLSvsStandardDiff: no removed auditallow rules."""
+ self.assertFalse(self.diff.removed_auditallows)
+
+ def test_modified_auditallows(self):
+ """MLSvsStandardDiff: no modified auditallow rules."""
+ self.assertFalse(self.diff.modified_auditallows)
+
+ def test_added_neverallows(self):
+ """MLSvsStandardDiff: no added neverallow rules."""
+ self.assertFalse(self.diff.added_neverallows)
+
+ def test_removed_neverallows(self):
+ """MLSvsStandardDiff: no removed neverallow rules."""
+ self.assertFalse(self.diff.removed_neverallows)
+
+ def test_modified_neverallows(self):
+ """MLSvsStandardDiff: no modified neverallow rules."""
+ self.assertFalse(self.diff.modified_neverallows)
+
+ def test_added_dontaudits(self):
+ """MLSvsStandardDiff: no added dontaudit rules."""
+ self.assertFalse(self.diff.added_dontaudits)
+
+ def test_removed_dontaudits(self):
+ """MLSvsStandardDiff: no removed dontaudit rules."""
+ self.assertFalse(self.diff.removed_dontaudits)
+
+ def test_modified_dontaudits(self):
+ """MLSvsStandardDiff: no modified dontaudit rules."""
+ self.assertFalse(self.diff.modified_dontaudits)
+
+ def test_added_type_transitions(self):
+ """MLSvsStandardDiff: no added type_transition rules."""
+ self.assertFalse(self.diff.added_type_transitions)
+
+ def test_removed_type_transitions(self):
+ """MLSvsStandardDiff: no removed type_transition rules."""
+ self.assertFalse(self.diff.removed_type_transitions)
+
+ def test_modified_type_transitions(self):
+ """MLSvsStandardDiff: no modified type_transition rules."""
+ self.assertFalse(self.diff.modified_type_transitions)
+
+ def test_added_type_changes(self):
+ """MLSvsStandardDiff: no added type_change rules."""
+ self.assertFalse(self.diff.added_type_changes)
+
+ def test_removed_type_changes(self):
+ """MLSvsStandardDiff: no removed type_change rules."""
+ self.assertFalse(self.diff.removed_type_changes)
+
+ def test_modified_type_changes(self):
+ """MLSvsStandardDiff: no modified type_change rules."""
+ self.assertFalse(self.diff.modified_type_changes)
+
+ def test_added_type_members(self):
+ """MLSvsStandardDiff: no added type_member rules."""
+ self.assertFalse(self.diff.added_type_members)
+
+ def test_removed_type_members(self):
+ """MLSvsStandardDiff: no removed type_member rules."""
+ self.assertFalse(self.diff.removed_type_members)
+
+ def test_modified_type_members(self):
+ """MLSvsStandardDiff: no modified type_member rules."""
+ self.assertFalse(self.diff.modified_type_members)
+
+ def test_added_range_transitions(self):
+ """MLSvsStandardDiff: no added range_transition rules."""
+ self.assertFalse(self.diff.added_range_transitions)
+
+ def test_removed_range_transitions(self):
+ """MLSvsStandardDiff: all range_transition rules removed."""
+ self.assertEqual(self.diff.left_policy.range_transition_count,
+ len(self.diff.removed_range_transitions))
+
+ def test_modified_range_transitions(self):
+ """MLSvsStandardDiff: no modified range_transition rules."""
+ self.assertFalse(self.diff.modified_range_transitions)
+
+ def test_added_role_allows(self):
+ """MLSvsStandardDiff: no added role_allow rules."""
+ self.assertFalse(self.diff.added_role_allows)
+
+ def test_removed_role_allows(self):
+ """MLSvsStandardDiff: no removed role_allow rules."""
+ self.assertFalse(self.diff.removed_role_allows)
+
+ def test_modified_role_allows(self):
+ """MLSvsStandardDiff: no modified role_allow rules."""
+ self.assertFalse(self.diff.modified_role_allows)
+
+ def test_added_role_transitions(self):
+ """MLSvsStandardDiff: no added role_transition rules."""
+ self.assertFalse(self.diff.added_role_transitions)
+
+ def test_removed_role_transitions(self):
+ """MLSvsStandardDiff: no removed role_transition rules."""
+ self.assertFalse(self.diff.removed_role_transitions)
+
+ def test_modified_role_transitions(self):
+ """MLSvsStandardDiff: no modified role_transition rules."""
+ self.assertFalse(self.diff.modified_role_transitions)
+
+ def test_added_users(self):
+ """MLSvsStandardDiff: no added users."""
+ self.assertFalse(self.diff.added_users)
+
+ def test_removed_users(self):
+ """MLSvsStandardDiff: no removed users."""
+ self.assertFalse(self.diff.removed_users)
+
+ def test_modified_users(self):
+ """MLSvsStandardDiff: all users modified."""
+ self.assertEqual(self.diff.left_policy.user_count, len(self.diff.modified_users))
+
+ def test_added_type_attributes(self):
+ """MLSvsStandardDiff: no added type attribute."""
+ self.assertFalse(self.diff.added_type_attributes)
+
+ def test_removed_type_attributes(self):
+ """MLSvsStandardDiff: no removed type attributes."""
+ self.assertFalse(self.diff.removed_type_attributes)
+
+ def test_modified_type_attributes(self):
+ """MLSvsStandardDiff: no modified type attributes."""
+ self.assertFalse(self.diff.modified_type_attributes)
+
+ def test_added_booleans(self):
+ """MLSvsStandardDiff: no added booleans."""
+ self.assertFalse(self.diff.added_booleans)
+
+ def test_removed_booleans(self):
+ """MLSvsStandardDiff: no removed booleans."""
+ self.assertFalse(self.diff.removed_booleans)
+
+ def test_modified_booleans(self):
+ """MLSvsStandardDiff: no modified booleans."""
+ self.assertFalse(self.diff.modified_booleans)
+
+ def test_added_categories(self):
+ """MLSvsStandardDiff: no added categories."""
+ self.assertFalse(self.diff.added_categories)
+
+ def test_removed_categories(self):
+ """MLSvsStandardDiff: all categories removed."""
+ self.assertEqual(self.diff.left_policy.category_count, len(self.diff.removed_categories))
+
+ def test_modified_categories(self):
+ """MLSvsStandardDiff: no modified categories."""
+ self.assertFalse(self.diff.modified_categories)
+
+ def test_added_sensitivities(self):
+ """MLSvsStandardDiff: no added sensitivities."""
+ self.assertFalse(self.diff.added_sensitivities)
+
+ def test_removed_sensitivities(self):
+ """MLSvsStandardDiff: all sensitivities removed."""
+ self.assertEqual(self.diff.left_policy.level_count, len(self.diff.removed_sensitivities))
+
+ def test_modified_sensitivities(self):
+ """MLSvsStandardDiff: no modified sensitivities."""
+ self.assertFalse(self.diff.modified_sensitivities)
+
+ def test_added_initialsids(self):
+ """MLSvsStandardDiff: no added initialsids."""
+ self.assertFalse(self.diff.added_initialsids)
+
+ def test_removed_initialsids(self):
+ """MLSvsStandardDiff: no removed initialsids."""
+ self.assertFalse(self.diff.removed_initialsids)
+
+ def test_modified_initialsids(self):
+ """MLSvsStandardDiff: all initialsids modified."""
+ self.assertEqual(self.diff.left_policy.initialsids_count,
+ len(self.diff.modified_initialsids))
+
+ def test_added_fs_uses(self):
+ """MLSvsStandardDiff: no added fs_uses."""
+ self.assertFalse(self.diff.added_fs_uses)
+
+ def test_removed_fs_uses(self):
+ """MLSvsStandardDiff: no removed fs_uses."""
+ self.assertFalse(self.diff.removed_fs_uses)
+
+ def test_modified_fs_uses(self):
+ """MLSvsStandardDiff: all fs_uses modified."""
+ self.assertEqual(self.diff.left_policy.fs_use_count, len(self.diff.modified_fs_uses))
+
+ def test_added_genfscons(self):
+ """MLSvsStandardDiff: no added genfscons."""
+ self.assertFalse(self.diff.added_genfscons)
+
+ def test_removed_genfscons(self):
+ """MLSvsStandardDiff: no removed genfscons."""
+ self.assertFalse(self.diff.removed_genfscons)
+
+ def test_modified_genfscons(self):
+ """MLSvsStandardDiff: all genfscons modified."""
+ self.assertEqual(self.diff.left_policy.genfscon_count, len(self.diff.modified_genfscons))
+
+ def test_added_levels(self):
+ """MLSvsStandardDiff: no added levels."""
+ self.assertFalse(self.diff.added_levels)
+
+ def test_removed_levels(self):
+ """MLSvsStandardDiff: all levels removed."""
+ self.assertEqual(self.diff.left_policy.level_count, len(self.diff.removed_levels))
+
+ def test_modified_levels(self):
+ """MLSvsStandardDiff: no modified levels."""
+ self.assertFalse(self.diff.modified_levels)
+
+ def test_added_netifcons(self):
+ """MLSvsStandardDiff: no added netifcons."""
+ self.assertFalse(self.diff.added_netifcons)
+
+ def test_removed_netifcons(self):
+ """MLSvsStandardDiff: no removed netifcons."""
+ self.assertFalse(self.diff.removed_netifcons)
+
+ def test_modified_netifcons(self):
+ """MLSvsStandardDiff: all netifcons modified."""
+ self.assertEqual(self.diff.left_policy.netifcon_count, len(self.diff.modified_netifcons))
+
+ def test_added_nodecons(self):
+ """MLSvsStandardDiff: no added nodecons."""
+ self.assertFalse(self.diff.added_nodecons)
+
+ def test_removed_nodecons(self):
+ """MLSvsStandardDiff: no removed nodecons."""
+ self.assertFalse(self.diff.removed_nodecons)
+
+ def test_modified_nodecons(self):
+ """MLSvsStandardDiff: all nodecons modified."""
+ self.assertEqual(self.diff.left_policy.nodecon_count, len(self.diff.modified_nodecons))
+
+ def test_added_polcaps(self):
+ """MLSvsStandardDiff: no added polcaps."""
+ self.assertFalse(self.diff.added_polcaps)
+
+ def test_removed_polcaps(self):
+ """MLSvsStandardDiff: no removed polcaps."""
+ self.assertFalse(self.diff.removed_polcaps)
+
+ def test_added_portcons(self):
+ """MLSvsStandardDiff: no added portcons."""
+ self.assertFalse(self.diff.added_portcons)
+
+ def test_removed_portcons(self):
+ """MLSvsStandardDiff: no removed portcons."""
+ self.assertFalse(self.diff.removed_portcons)
+
+ def test_modified_portcons(self):
+ """MLSvsStandardDiff: all portcons modified."""
+ self.assertEqual(self.diff.left_policy.portcon_count, len(self.diff.modified_portcons))
+
+ def test_modified_properties(self):
+ """MLSvsStandardDiff: MLS property modified only."""
+ self.assertEqual(1, len(self.diff.modified_properties))
+
+ name, added, removed = self.diff.modified_properties[0]
+ self.assertEqual("MLS", name)
+ self.assertIs(False, added)
+ self.assertIs(True, removed)
diff --git a/tests/diff_left_standard.conf b/tests/diff_left_standard.conf
new file mode 100644
index 0000000..953ea38
--- /dev/null
+++ b/tests/diff_left_standard.conf
@@ -0,0 +1,620 @@
+class infoflow
+class infoflow2
+class infoflow3
+class infoflow4
+class infoflow5
+class infoflow6
+class infoflow7
+class removed_class
+class modified_add_perm
+class modified_remove_perm
+class modified_change_common
+
+sid kernel
+sid security
+sid matched_sid
+sid removed_sid
+sid modified_sid
+
+common infoflow
+{
+ low_w
+ med_w
+ hi_w
+ low_r
+ med_r
+ hi_r
+}
+
+common removed_common
+{
+ old_com
+}
+
+common modified_remove_perm
+{
+ same_perm
+ removed_perm
+}
+
+common modified_add_perm
+{
+ matched_perm
+}
+
+class infoflow
+inherits infoflow
+
+class infoflow2
+inherits infoflow
+{
+ super_w
+ super_r
+}
+
+class infoflow3
+{
+ null
+}
+
+class infoflow4
+inherits infoflow
+
+class infoflow5
+inherits infoflow
+
+class infoflow6
+inherits infoflow
+
+class infoflow7
+inherits infoflow
+{
+ super_w
+ super_r
+ super_none
+ super_both
+ super_unmapped
+}
+
+class removed_class
+{
+ null_perm
+}
+
+class modified_add_perm
+{
+ same_perm
+}
+
+class modified_remove_perm
+{
+ same_perm
+ removed_perm
+}
+
+class modified_change_common
+inherits removed_common
+
+attribute mls_exempt;
+attribute an_attr;
+attribute removed_attr;
+
+type system;
+role system;
+role system types system;
+
+################################################################################
+# Type enforcement declarations and rules
+
+type removed_type;
+
+type modified_remove_attr, an_attr;
+
+type modified_remove_alias alias an_alias;
+
+type modified_remove_permissive;
+permissive modified_remove_permissive;
+
+type modified_add_attr;
+
+type modified_add_alias;
+
+type modified_add_permissive;
+
+role removed_role;
+
+role modified_add_type;
+
+role modified_remove_type;
+role modified_remove_type types { system };
+
+# booleans
+bool same_bool true;
+bool removed_bool true;
+bool modified_bool false;
+
+# Allow rule differences
+type matched_source;
+type matched_target;
+allow matched_source matched_target:infoflow hi_w;
+
+type removed_rule_source;
+type removed_rule_target;
+allow removed_rule_source removed_rule_target:infoflow hi_r;
+
+type added_rule_source;
+type added_rule_target;
+
+type modified_rule_add_perms;
+allow modified_rule_add_perms self:infoflow hi_r;
+
+type modified_rule_remove_perms;
+allow modified_rule_remove_perms self:infoflow { low_r low_w };
+
+type modified_rule_add_remove_perms;
+allow modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
+
+allow removed_type self:infoflow3 null;
+
+type move_to_bool;
+bool move_to_bool_b false;
+allow move_to_bool self:infoflow4 hi_w;
+
+type move_from_bool;
+bool move_from_bool_b false;
+if (move_from_bool_b) {
+allow move_from_bool self:infoflow4 hi_r;
+}
+
+type switch_block;
+bool switch_block_b false;
+if (switch_block_b) {
+allow system switch_block:infoflow5 hi_r;
+allow system switch_block:infoflow6 hi_r;
+} else {
+allow system switch_block:infoflow7 hi_r;
+}
+
+attribute match_rule_by_attr;
+type match_rule_by_attr_A_t, match_rule_by_attr;
+type match_rule_by_attr_B_t, match_rule_by_attr;
+allow match_rule_by_attr self:infoflow2 super_w;
+
+attribute unioned_perm_via_attr;
+type unioned_perm_via_attr_A_t, unioned_perm_via_attr;
+type unioned_perm_via_attr_B_t, unioned_perm_via_attr;
+allow unioned_perm_via_attr self:infoflow2 super_w;
+allow unioned_perm_via_attr_A_t self:infoflow2 super_r;
+allow unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+
+# Auditallow rule differences
+type aa_matched_source;
+type aa_matched_target;
+auditallow aa_matched_source aa_matched_target:infoflow hi_w;
+
+type aa_removed_rule_source;
+type aa_removed_rule_target;
+auditallow aa_removed_rule_source aa_removed_rule_target:infoflow hi_r;
+
+type aa_added_rule_source;
+type aa_added_rule_target;
+
+type aa_modified_rule_add_perms;
+auditallow aa_modified_rule_add_perms self:infoflow hi_r;
+
+type aa_modified_rule_remove_perms;
+auditallow aa_modified_rule_remove_perms self:infoflow { low_r low_w };
+
+type aa_modified_rule_add_remove_perms;
+auditallow aa_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
+
+auditallow removed_type self:infoflow7 super_unmapped;
+
+type aa_move_to_bool;
+bool aa_move_to_bool_b false;
+auditallow aa_move_to_bool self:infoflow4 hi_w;
+
+type aa_move_from_bool;
+bool aa_move_from_bool_b false;
+if (aa_move_from_bool_b) {
+auditallow aa_move_from_bool self:infoflow4 hi_r;
+}
+
+type aa_switch_block;
+bool aa_switch_block_b false;
+if (aa_switch_block_b) {
+auditallow system aa_switch_block:infoflow5 hi_r;
+auditallow system aa_switch_block:infoflow6 hi_r;
+} else {
+auditallow system aa_switch_block:infoflow7 hi_r;
+}
+
+attribute aa_match_rule_by_attr;
+type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
+type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
+auditallow aa_match_rule_by_attr self:infoflow2 super_w;
+
+attribute aa_unioned_perm_via_attr;
+type aa_unioned_perm_via_attr_A_t, aa_unioned_perm_via_attr;
+type aa_unioned_perm_via_attr_B_t, aa_unioned_perm_via_attr;
+auditallow aa_unioned_perm_via_attr self:infoflow2 super_w;
+auditallow aa_unioned_perm_via_attr_A_t self:infoflow2 super_r;
+auditallow aa_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+
+# Dontaudit rule differences
+type da_matched_source;
+type da_matched_target;
+dontaudit da_matched_source da_matched_target:infoflow hi_w;
+
+type da_removed_rule_source;
+type da_removed_rule_target;
+dontaudit da_removed_rule_source da_removed_rule_target:infoflow hi_r;
+
+type da_added_rule_source;
+type da_added_rule_target;
+
+type da_modified_rule_add_perms;
+dontaudit da_modified_rule_add_perms self:infoflow hi_r;
+
+type da_modified_rule_remove_perms;
+dontaudit da_modified_rule_remove_perms self:infoflow { low_r low_w };
+
+type da_modified_rule_add_remove_perms;
+dontaudit da_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
+
+dontaudit removed_type self:infoflow7 super_both;
+
+type da_move_to_bool;
+bool da_move_to_bool_b false;
+dontaudit da_move_to_bool self:infoflow4 hi_w;
+
+type da_move_from_bool;
+bool da_move_from_bool_b false;
+if (da_move_from_bool_b) {
+dontaudit da_move_from_bool self:infoflow4 hi_r;
+}
+
+type da_switch_block;
+bool da_switch_block_b false;
+if (da_switch_block_b) {
+dontaudit system da_switch_block:infoflow5 hi_r;
+dontaudit system da_switch_block:infoflow6 hi_r;
+} else {
+dontaudit system da_switch_block:infoflow7 hi_r;
+}
+
+attribute da_match_rule_by_attr;
+type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
+type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
+dontaudit da_match_rule_by_attr self:infoflow2 super_w;
+
+attribute da_unioned_perm_via_attr;
+type da_unioned_perm_via_attr_A_t, da_unioned_perm_via_attr;
+type da_unioned_perm_via_attr_B_t, da_unioned_perm_via_attr;
+dontaudit da_unioned_perm_via_attr self:infoflow2 super_w;
+dontaudit da_unioned_perm_via_attr_A_t self:infoflow2 super_r;
+dontaudit da_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+
+# Neverallow rule differences
+type na_matched_source;
+type na_matched_target;
+neverallow na_matched_source na_matched_target:infoflow hi_w;
+
+type na_removed_rule_source;
+type na_removed_rule_target;
+neverallow na_removed_rule_source na_removed_rule_target:infoflow hi_r;
+
+type na_added_rule_source;
+type na_added_rule_target;
+
+type na_modified_rule_add_perms;
+neverallow na_modified_rule_add_perms self:infoflow hi_r;
+
+type na_modified_rule_remove_perms;
+neverallow na_modified_rule_remove_perms self:infoflow { low_r low_w };
+
+type na_modified_rule_add_remove_perms;
+neverallow na_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
+
+neverallow removed_type self:removed_class null_perm;
+
+attribute na_match_rule_by_attr;
+type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
+type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
+neverallow na_match_rule_by_attr self:infoflow2 super_w;
+
+attribute na_unioned_perm_via_attr;
+type na_unioned_perm_via_attr_A_t, na_unioned_perm_via_attr;
+type na_unioned_perm_via_attr_B_t, na_unioned_perm_via_attr;
+neverallow na_unioned_perm_via_attr self:infoflow2 super_w;
+neverallow na_unioned_perm_via_attr_A_t self:infoflow2 super_r;
+neverallow na_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+
+# type_transition rule differences
+type tt_matched_source;
+type tt_matched_target;
+type_transition tt_matched_source tt_matched_target:infoflow system;
+
+type tt_removed_rule_source;
+type tt_removed_rule_target;
+type_transition tt_removed_rule_source tt_removed_rule_target:infoflow system;
+
+type tt_added_rule_source;
+type tt_added_rule_target;
+
+type tt_old_type;
+type tt_new_type;
+type_transition tt_matched_source system:infoflow tt_old_type;
+
+type_transition removed_type system:infoflow4 system;
+
+type tt_move_to_bool;
+bool tt_move_to_bool_b false;
+type_transition tt_move_to_bool system:infoflow3 system;
+
+type tt_move_from_bool;
+bool tt_move_from_bool_b false;
+if (tt_move_from_bool_b) {
+type_transition tt_move_from_bool system:infoflow4 system;
+}
+
+type tt_switch_block;
+bool tt_switch_block_b false;
+if (tt_switch_block_b) {
+type_transition system tt_switch_block:infoflow5 system;
+type_transition system tt_switch_block:infoflow6 system;
+} else {
+type_transition system tt_switch_block:infoflow7 system;
+}
+
+attribute tt_match_rule_by_attr;
+type tt_match_rule_by_attr_A_t, tt_match_rule_by_attr;
+type tt_match_rule_by_attr_B_t, tt_match_rule_by_attr;
+type_transition tt_match_rule_by_attr system:infoflow2 system;
+
+attribute tt_unioned_perm_via_attr;
+type tt_unioned_perm_via_attr_A_t, tt_unioned_perm_via_attr;
+type tt_unioned_perm_via_attr_B_t, tt_unioned_perm_via_attr;
+type_transition tt_unioned_perm_via_attr system:infoflow2 system;
+type_transition tt_unioned_perm_via_attr_A_t system:infoflow2 system;
+type_transition tt_unioned_perm_via_attr_B_t system:infoflow2 system;
+
+# type_change rule differences
+type tc_matched_source;
+type tc_matched_target;
+type_change tc_matched_source tc_matched_target:infoflow system;
+
+type tc_removed_rule_source;
+type tc_removed_rule_target;
+type_change tc_removed_rule_source tc_removed_rule_target:infoflow system;
+
+type tc_added_rule_source;
+type tc_added_rule_target;
+
+type tc_old_type;
+type tc_new_type;
+type_change tc_matched_source system:infoflow tc_old_type;
+
+type_change removed_type system:infoflow4 system;
+
+type tc_move_to_bool;
+bool tc_move_to_bool_b false;
+type_change tc_move_to_bool system:infoflow3 system;
+
+type tc_move_from_bool;
+bool tc_move_from_bool_b false;
+if (tc_move_from_bool_b) {
+type_change tc_move_from_bool system:infoflow4 system;
+}
+
+type tc_switch_block;
+bool tc_switch_block_b false;
+if (tc_switch_block_b) {
+type_change system tc_switch_block:infoflow5 system;
+type_change system tc_switch_block:infoflow6 system;
+} else {
+type_change system tc_switch_block:infoflow7 system;
+}
+
+attribute tc_match_rule_by_attr;
+type tc_match_rule_by_attr_A_t, tc_match_rule_by_attr;
+type tc_match_rule_by_attr_B_t, tc_match_rule_by_attr;
+type_change tc_match_rule_by_attr system:infoflow2 system;
+
+attribute tc_unioned_perm_via_attr;
+type tc_unioned_perm_via_attr_A_t, tc_unioned_perm_via_attr;
+type tc_unioned_perm_via_attr_B_t, tc_unioned_perm_via_attr;
+type_change tc_unioned_perm_via_attr system:infoflow2 system;
+type_change tc_unioned_perm_via_attr_A_t system:infoflow2 system;
+type_change tc_unioned_perm_via_attr_B_t system:infoflow2 system;
+
+# type_member rule differences
+type tm_matched_source;
+type tm_matched_target;
+type_member tm_matched_source tm_matched_target:infoflow system;
+
+type tm_removed_rule_source;
+type tm_removed_rule_target;
+type_member tm_removed_rule_source tm_removed_rule_target:infoflow system;
+
+type tm_added_rule_source;
+type tm_added_rule_target;
+
+type tm_old_type;
+type tm_new_type;
+type_member tm_matched_source system:infoflow tm_old_type;
+
+type_member removed_type system:infoflow4 system;
+
+type tm_move_to_bool;
+bool tm_move_to_bool_b false;
+type_member tm_move_to_bool system:infoflow3 system;
+
+type tm_move_from_bool;
+bool tm_move_from_bool_b false;
+if (tm_move_from_bool_b) {
+type_member tm_move_from_bool system:infoflow4 system;
+}
+
+type tm_switch_block;
+bool tm_switch_block_b false;
+if (tm_switch_block_b) {
+type_member system tm_switch_block:infoflow5 system;
+type_member system tm_switch_block:infoflow6 system;
+} else {
+type_member system tm_switch_block:infoflow7 system;
+}
+
+attribute tm_match_rule_by_attr;
+type tm_match_rule_by_attr_A_t, tm_match_rule_by_attr;
+type tm_match_rule_by_attr_B_t, tm_match_rule_by_attr;
+type_member tm_match_rule_by_attr system:infoflow2 system;
+
+attribute tm_unioned_perm_via_attr;
+type tm_unioned_perm_via_attr_A_t, tm_unioned_perm_via_attr;
+type tm_unioned_perm_via_attr_B_t, tm_unioned_perm_via_attr;
+type_member tm_unioned_perm_via_attr system:infoflow2 system;
+type_member tm_unioned_perm_via_attr_A_t system:infoflow2 system;
+type_member tm_unioned_perm_via_attr_B_t system:infoflow2 system;
+
+type rt_matched_source;
+type rt_matched_target;
+
+type rt_removed_rule_source;
+type rt_removed_rule_target;
+
+type rt_added_rule_source;
+type rt_added_rule_target;
+
+
+
+# range transitions cannot be conditional.
+#type rt_move_to_bool;
+#bool rt_move_to_bool_b false;
+
+#type rt_move_from_bool;
+#bool rt_move_from_bool_b false;
+#if (rt_move_from_bool_b) {
+#}
+
+#type rt_switch_block;
+#bool rt_switch_block_b false;
+#if (rt_switch_block_b) {
+#} else {
+#}
+
+attribute rt_match_rule_by_attr;
+type rt_match_rule_by_attr_A_t, rt_match_rule_by_attr;
+type rt_match_rule_by_attr_B_t, rt_match_rule_by_attr;
+
+attribute rt_unioned_perm_via_attr;
+type rt_unioned_perm_via_attr_A_t, rt_unioned_perm_via_attr;
+type rt_unioned_perm_via_attr_B_t, rt_unioned_perm_via_attr;
+
+# role allow
+role matched_source_r;
+role matched_target_r;
+allow matched_source_r matched_target_r;
+
+role removed_rule_source_r;
+role removed_rule_target_r;
+allow removed_rule_source_r removed_rule_target_r;
+
+role added_rule_source_r;
+role added_rule_target_r;
+
+allow removed_role system;
+
+# role_transition
+role role_tr_matched_source;
+type role_tr_matched_target;
+role_transition role_tr_matched_source role_tr_matched_target:infoflow system;
+
+role role_tr_removed_rule_source;
+type role_tr_removed_rule_target;
+role_transition role_tr_removed_rule_source role_tr_removed_rule_target:infoflow5 system;
+
+role role_tr_added_rule_source;
+type role_tr_added_rule_target;
+
+role_transition removed_role system:infoflow4 system;
+
+role role_tr_old_role;
+role role_tr_new_role;
+role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_old_role;
+
+################################################################################
+
+# policycaps
+policycap open_perms;
+policycap network_peer_controls;
+
+#users
+user system roles system;
+
+user removed_user roles system;
+
+user modified_add_role roles system;
+user modified_remove_role roles { system removed_role };
+user modified_change_level roles system;
+user modified_change_range roles system;
+
+#normal constraints
+constrain infoflow hi_w (u1 == u2);
+
+#isids
+sid kernel system:system:system
+sid security system:system:system
+sid matched_sid system:system:system
+sid removed_sid removed_user:system:system
+sid modified_sid system:system:system
+
+#fs_use
+fs_use_trans devpts system:object_r:system;
+fs_use_xattr ext3 system:object_r:system;
+fs_use_task pipefs system:object_r:system;
+fs_use_task removed_fsuse system:object_r:system;
+fs_use_trans modified_fsuse removed_user:object_r:system;
+
+#genfscon
+genfscon proc / system:object_r:system
+genfscon proc /sys system:object_r:system
+genfscon selinuxfs / system:object_r:system
+genfscon removed_genfs / system:object_r:system
+genfscon change_path /old system:object_r:system
+genfscon modified_genfs / -s removed_user:object_r:system
+
+# matched portcons
+portcon tcp 80 system:object_r:system
+portcon udp 80 system:object_r:system
+portcon udp 30-40 system:object_r:system
+
+# removed portcons
+portcon udp 1024 system:object_r:system
+portcon tcp 1024-1026 system:object_r:system
+
+# modified portcons
+portcon udp 3024 removed_user:object_r:system
+portcon tcp 3024-3026 removed_user:object_r:system
+
+netifcon eth0 system:object_r:system system:object_r:system
+netifcon removed_netif system:object_r:system system:object_r:system
+netifcon mod_ctx_netif removed_user:object_r:system system:object_r:system
+netifcon mod_pkt_netif system:object_r:system removed_user:object_r:system
+netifcon mod_both_netif removed_user:object_r:system removed_user:object_r:system
+
+# matched nodecons
+nodecon 127.0.0.1 255.255.255.255 system:object_r:system
+nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system
+
+# removed nodecons
+nodecon 127.0.0.2 255.255.255.255 removed_user:object_r:system
+nodecon ::2 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff removed_user:object_r:system
+
+# modified nodecons
+nodecon 127.0.0.3 255.255.255.255 modified_change_level:object_r:system
+nodecon ::3 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff modified_change_level:object_r:system
+
+# change netmask (add/remove)
+nodecon 127.0.0.5 255.255.255.255 system:object_r:system
+nodecon ::5 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system