class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
class added_class
class modified_add_perm
class modified_remove_perm
class modified_change_common

sid kernel
sid security
sid matched_sid
sid added_sid
sid modified_sid

common infoflow
{
	low_w
	med_w
	hi_w
	low_r
	med_r
	hi_r
}

common added_common
{
    new_com
}

common modified_remove_perm
{
    same_perm
}

common modified_add_perm
{
    matched_perm
    added_perm
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
	super_w
	super_r
}

class infoflow3
{
	null
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
	super_w
	super_r
	super_none
	super_both
	super_unmapped
}

class added_class
{
    new_class_perm
}

class modified_add_perm
{
    same_perm
    added_perm
}

class modified_remove_perm
{
    same_perm
}

class modified_change_common
inherits added_common

sensitivity s0 alias { al1 };
sensitivity s1 alias { al3 al4 };
sensitivity s2;
sensitivity s3;
sensitivity s40;
sensitivity s41;
sensitivity s42;
sensitivity s43;
sensitivity s44;
sensitivity s45;
sensitivity s46;

dominance { s0 s1 s2 s3 s40 s41 s42 s43 s44 s45 s46 }

category c0 alias { spam };
category c1 alias { foo bar };
category c2;
category c3;
category c4;
category c6;

#level decl
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s40:c1,c3;
level s41:c0.c3;
level s42:c0.c4;
level s43:c0.c4;
level s44:c0.c4;
level s45:c0.c4;
level s46:c0.c4;

#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;
attribute an_attr;
attribute added_attr;

type system;
role system;
role system types system;

################################################################################
# Type enforcement declarations and rules

type added_type;

type modified_remove_attr;

type modified_remove_alias;

type modified_remove_permissive;

type modified_add_attr, an_attr;

type modified_add_alias alias an_alias;

type modified_add_permissive;
permissive modified_add_permissive;

role added_role;

role modified_add_type;
role modified_add_type types { system };

role modified_remove_type;

# booleans
bool same_bool true;
bool added_bool true;
bool modified_bool true;

# Allow rule differences
type matched_source;
type matched_target;
allow matched_source matched_target:infoflow hi_w;

type removed_rule_source;
type removed_rule_target;

type added_rule_source;
type added_rule_target;
allow added_rule_source added_rule_target:infoflow med_w;

type modified_rule_add_perms;
allow modified_rule_add_perms self:infoflow { hi_r hi_w };

type modified_rule_remove_perms;
allow modified_rule_remove_perms self:infoflow low_w;

type modified_rule_add_remove_perms;
allow modified_rule_add_remove_perms self:infoflow2 { low_w super_r };

allow added_type self:infoflow2 med_w;

type move_to_bool;
bool move_to_bool_b false;
if (move_to_bool_b) {
allow move_to_bool self:infoflow4 hi_w;
}

type move_from_bool;
bool move_from_bool_b false;
allow move_from_bool self:infoflow4 hi_r;

type switch_block;
bool switch_block_b false;
if (switch_block_b) {
allow system switch_block:infoflow5 hi_r;
} else {
allow system switch_block:infoflow6 hi_r;
allow system switch_block:infoflow7 hi_r;
}

attribute match_rule_by_attr;
type match_rule_by_attr_A_t, match_rule_by_attr;
type match_rule_by_attr_B_t, match_rule_by_attr;
allow match_rule_by_attr_A_t self:infoflow2 super_w;
allow match_rule_by_attr_B_t self:infoflow2 super_w;

attribute unioned_perm_via_attr;
type unioned_perm_via_attr_A_t, unioned_perm_via_attr;
type unioned_perm_via_attr_B_t, unioned_perm_via_attr;
allow unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
allow unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };

# Auditallow rule differences
type aa_matched_source;
type aa_matched_target;
auditallow aa_matched_source aa_matched_target:infoflow hi_w;

type aa_removed_rule_source;
type aa_removed_rule_target;

type aa_added_rule_source;
type aa_added_rule_target;
auditallow aa_added_rule_source aa_added_rule_target:infoflow med_w;

type aa_modified_rule_add_perms;
auditallow aa_modified_rule_add_perms self:infoflow { hi_r hi_w };

type aa_modified_rule_remove_perms;
auditallow aa_modified_rule_remove_perms self:infoflow low_w;

type aa_modified_rule_add_remove_perms;
auditallow aa_modified_rule_add_remove_perms self:infoflow2 { low_w super_r };

auditallow added_type self:infoflow7 super_none;

type aa_move_to_bool;
bool aa_move_to_bool_b false;
if (aa_move_to_bool_b) {
auditallow aa_move_to_bool self:infoflow4 hi_w;
}

type aa_move_from_bool;
bool aa_move_from_bool_b false;
auditallow aa_move_from_bool self:infoflow4 hi_r;

type aa_switch_block;
bool aa_switch_block_b false;
if (aa_switch_block_b) {
auditallow system aa_switch_block:infoflow5 hi_r;
} else {
auditallow system aa_switch_block:infoflow6 hi_r;
auditallow system aa_switch_block:infoflow7 hi_r;
}

attribute aa_match_rule_by_attr;
type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
auditallow aa_match_rule_by_attr_A_t self:infoflow2 super_w;
auditallow aa_match_rule_by_attr_B_t self:infoflow2 super_w;

attribute aa_unioned_perm_via_attr;
type aa_unioned_perm_via_attr_A_t, aa_unioned_perm_via_attr;
type aa_unioned_perm_via_attr_B_t, aa_unioned_perm_via_attr;
auditallow aa_unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
auditallow aa_unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };

# Dontaudit rule differences
type da_matched_source;
type da_matched_target;
dontaudit da_matched_source da_matched_target:infoflow hi_w;

type da_removed_rule_source;
type da_removed_rule_target;

type da_added_rule_source;
type da_added_rule_target;
dontaudit da_added_rule_source da_added_rule_target:infoflow med_w;

type da_modified_rule_add_perms;
dontaudit da_modified_rule_add_perms self:infoflow { hi_r hi_w };

type da_modified_rule_remove_perms;
dontaudit da_modified_rule_remove_perms self:infoflow low_w;

type da_modified_rule_add_remove_perms;
dontaudit da_modified_rule_add_remove_perms self:infoflow2 { low_w super_r };

dontaudit added_type self:infoflow7 super_none;

type da_move_to_bool;
bool da_move_to_bool_b false;
if (da_move_to_bool_b) {
dontaudit da_move_to_bool self:infoflow4 hi_w;
}

type da_move_from_bool;
bool da_move_from_bool_b false;
dontaudit da_move_from_bool self:infoflow4 hi_r;

type da_switch_block;
bool da_switch_block_b false;
if (da_switch_block_b) {
dontaudit system da_switch_block:infoflow5 hi_r;
} else {
dontaudit system da_switch_block:infoflow6 hi_r;
dontaudit system da_switch_block:infoflow7 hi_r;
}

attribute da_match_rule_by_attr;
type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
dontaudit da_match_rule_by_attr_A_t self:infoflow2 super_w;
dontaudit da_match_rule_by_attr_B_t self:infoflow2 super_w;

attribute da_unioned_perm_via_attr;
type da_unioned_perm_via_attr_A_t, da_unioned_perm_via_attr;
type da_unioned_perm_via_attr_B_t, da_unioned_perm_via_attr;
dontaudit da_unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
dontaudit da_unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };

# Neverallow rule differences
type na_matched_source;
type na_matched_target;
neverallow na_matched_source na_matched_target:infoflow hi_w;

type na_removed_rule_source;
type na_removed_rule_target;

type na_added_rule_source;
type na_added_rule_target;
neverallow na_added_rule_source na_added_rule_target:infoflow med_w;

type na_modified_rule_add_perms;
neverallow na_modified_rule_add_perms self:infoflow { hi_r hi_w };

type na_modified_rule_remove_perms;
neverallow na_modified_rule_remove_perms self:infoflow low_w;

type na_modified_rule_add_remove_perms;
neverallow na_modified_rule_add_remove_perms self:infoflow2 { low_w super_r };

neverallow added_type self:added_class new_class_perm;

attribute na_match_rule_by_attr;
type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
neverallow na_match_rule_by_attr_A_t self:infoflow2 super_w;
neverallow na_match_rule_by_attr_B_t self:infoflow2 super_w;

attribute na_unioned_perm_via_attr;
type na_unioned_perm_via_attr_A_t, na_unioned_perm_via_attr;
type na_unioned_perm_via_attr_B_t, na_unioned_perm_via_attr;
neverallow na_unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
neverallow na_unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };

# type_transition rule differences
type tt_matched_source;
type tt_matched_target;
type_transition tt_matched_source tt_matched_target:infoflow system;

type tt_removed_rule_source;
type tt_removed_rule_target;

type tt_added_rule_source;
type tt_added_rule_target;
type_transition tt_added_rule_source tt_added_rule_target:infoflow system;

type tt_old_type;
type tt_new_type;
type_transition tt_matched_source system:infoflow tt_new_type;

type_transition added_type system:infoflow4 system;

type tt_move_to_bool;
bool tt_move_to_bool_b false;
if (tt_move_to_bool_b) {
type_transition tt_move_to_bool system:infoflow3 system;
}

type tt_move_from_bool;
bool tt_move_from_bool_b false;
type_transition tt_move_from_bool system:infoflow4 system;

type tt_switch_block;
bool tt_switch_block_b false;
if (tt_switch_block_b) {
type_transition system tt_switch_block:infoflow5 system;
} else {
type_transition system tt_switch_block:infoflow6 system;
type_transition system tt_switch_block:infoflow7 system;
}

attribute tt_match_rule_by_attr;
type tt_match_rule_by_attr_A_t, tt_match_rule_by_attr;
type tt_match_rule_by_attr_B_t, tt_match_rule_by_attr;
type_transition tt_match_rule_by_attr system:infoflow2 system;

attribute tt_unioned_perm_via_attr;
type tt_unioned_perm_via_attr_A_t, tt_unioned_perm_via_attr;
type tt_unioned_perm_via_attr_B_t, tt_unioned_perm_via_attr;
type_transition tt_unioned_perm_via_attr system:infoflow2 system;
type_transition tt_unioned_perm_via_attr_A_t system:infoflow2 system;
type_transition tt_unioned_perm_via_attr_B_t system:infoflow2 system;

# type_change rule differences
type tc_matched_source;
type tc_matched_target;
type_change tc_matched_source tc_matched_target:infoflow system;

type tc_removed_rule_source;
type tc_removed_rule_target;

type tc_added_rule_source;
type tc_added_rule_target;
type_change tc_added_rule_source tc_added_rule_target:infoflow system;

type tc_old_type;
type tc_new_type;
type_change tc_matched_source system:infoflow tc_new_type;

type_change added_type system:infoflow4 system;

type tc_move_to_bool;
bool tc_move_to_bool_b false;
if (tc_move_to_bool_b) {
type_change tc_move_to_bool system:infoflow3 system;
}

type tc_move_from_bool;
bool tc_move_from_bool_b false;
type_change tc_move_from_bool system:infoflow4 system;

type tc_switch_block;
bool tc_switch_block_b false;
if (tc_switch_block_b) {
type_change system tc_switch_block:infoflow5 system;
} else {
type_change system tc_switch_block:infoflow6 system;
type_change system tc_switch_block:infoflow7 system;
}

attribute tc_match_rule_by_attr;
type tc_match_rule_by_attr_A_t, tc_match_rule_by_attr;
type tc_match_rule_by_attr_B_t, tc_match_rule_by_attr;
type_change tc_match_rule_by_attr system:infoflow2 system;

attribute tc_unioned_perm_via_attr;
type tc_unioned_perm_via_attr_A_t, tc_unioned_perm_via_attr;
type tc_unioned_perm_via_attr_B_t, tc_unioned_perm_via_attr;
type_change tc_unioned_perm_via_attr system:infoflow2 system;
type_change tc_unioned_perm_via_attr_A_t system:infoflow2 system;
type_change tc_unioned_perm_via_attr_B_t system:infoflow2 system;

# type_member rule differences
type tm_matched_source;
type tm_matched_target;
type_member tm_matched_source tm_matched_target:infoflow system;

type tm_removed_rule_source;
type tm_removed_rule_target;

type tm_added_rule_source;
type tm_added_rule_target;
type_member tm_added_rule_source tm_added_rule_target:infoflow system;

type tm_old_type;
type tm_new_type;
type_member tm_matched_source system:infoflow tm_new_type;

type_member added_type system:infoflow4 system;

type tm_move_to_bool;
bool tm_move_to_bool_b false;
if (tm_move_to_bool_b) {
type_member tm_move_to_bool system:infoflow3 system;
}

type tm_move_from_bool;
bool tm_move_from_bool_b false;
type_member tm_move_from_bool system:infoflow4 system;

type tm_switch_block;
bool tm_switch_block_b false;
if (tm_switch_block_b) {
type_member system tm_switch_block:infoflow5 system;
} else {
type_member system tm_switch_block:infoflow6 system;
type_member system tm_switch_block:infoflow7 system;
}

attribute tm_match_rule_by_attr;
type tm_match_rule_by_attr_A_t, tm_match_rule_by_attr;
type tm_match_rule_by_attr_B_t, tm_match_rule_by_attr;
type_member tm_match_rule_by_attr system:infoflow2 system;

attribute tm_unioned_perm_via_attr;
type tm_unioned_perm_via_attr_A_t, tm_unioned_perm_via_attr;
type tm_unioned_perm_via_attr_B_t, tm_unioned_perm_via_attr;
type_member tm_unioned_perm_via_attr system:infoflow2 system;
type_member tm_unioned_perm_via_attr_A_t system:infoflow2 system;
type_member tm_unioned_perm_via_attr_B_t system:infoflow2 system;

# range_transition rule differences
type rt_matched_source;
type rt_matched_target;
range_transition rt_matched_source rt_matched_target:infoflow s0;

type rt_removed_rule_source;
type rt_removed_rule_target;

type rt_added_rule_source;
type rt_added_rule_target;
range_transition rt_added_rule_source rt_added_rule_target:infoflow s3;

range_transition rt_matched_source system:infoflow s0:c0,c4 - s1:c0.c2,c4;

range_transition added_type system:infoflow4 s3;

# range transitions cannot be conditional.
#type rt_move_to_bool;
#bool rt_move_to_bool_b false;
#if (rt_move_to_bool_b) {
#range_transition rt_move_to_bool system:infoflow3 s0;
#}

#type rt_move_from_bool;
#bool rt_move_from_bool_b false;
#range_transition rt_move_from_bool system:infoflow4 s0;

#type rt_switch_block;
#bool rt_switch_block_b false;
#if (rt_switch_block_b) {
#range_transition system rt_switch_block:infoflow5 s0;
#} else {
#range_transition system rt_switch_block:infoflow6 s0;
#range_transition system rt_switch_block:infoflow7 s0;
#}

attribute rt_match_rule_by_attr;
type rt_match_rule_by_attr_A_t, rt_match_rule_by_attr;
type rt_match_rule_by_attr_B_t, rt_match_rule_by_attr;
range_transition rt_match_rule_by_attr system:infoflow2 s0;

attribute rt_unioned_perm_via_attr;
type rt_unioned_perm_via_attr_A_t, rt_unioned_perm_via_attr;
type rt_unioned_perm_via_attr_B_t, rt_unioned_perm_via_attr;
range_transition rt_unioned_perm_via_attr system:infoflow2 s0;
range_transition rt_unioned_perm_via_attr_B_t system:infoflow2 s0;

# role allow
role matched_source_r;
role matched_target_r;
allow matched_source_r matched_target_r;

role removed_rule_source_r;
role removed_rule_target_r;

role added_rule_source_r;
role added_rule_target_r;
allow added_rule_source_r added_rule_target_r;

allow added_role system;

# role_transition
role role_tr_matched_source;
type role_tr_matched_target;
role_transition role_tr_matched_source role_tr_matched_target:infoflow system;

role role_tr_removed_rule_source;
type role_tr_removed_rule_target;

role role_tr_added_rule_source;
type role_tr_added_rule_target;
role_transition role_tr_added_rule_source role_tr_added_rule_target:infoflow6 system;

role_transition added_role system:infoflow4 system;

role role_tr_old_role;
role role_tr_new_role;
role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_new_role;

################################################################################

#users
user system roles system level s0 range s0;

user added_user roles system level s1 range s1;

user modified_add_role roles { system added_role } level s2 range s2;
user modified_remove_role roles system level s2 range s2;
user modified_change_level roles system level s2:c1 range s2:c0,c1;
user modified_change_range roles system level s3:c1 range s3:c1.c4;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:s0
sid security system:system:system:s0
sid matched_sid system:system:system:s0
sid added_sid added_user:system:system:s1
sid modified_sid modified_add_role:system:system:s2

#fs_use
fs_use_trans devpts system:object_r:system:s0;
fs_use_xattr ext3 system:object_r:system:s0;
fs_use_task pipefs system:object_r:system:s0;
fs_use_xattr added_fsuse system:object_r:system:s0;
fs_use_trans modified_fsuse added_user:object_r:system:s1;

#genfscon
genfscon proc / system:object_r:system:s0
genfscon proc /sys system:object_r:system:s0
genfscon selinuxfs / system:object_r:system:s0
genfscon added_genfs / added_user:object_r:system:s0
genfscon change_path /new system:object_r:system:s0
genfscon modified_genfs / -s added_user:object_r:system:s0

portcon tcp 80 system:object_r:system:s0

netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
netifcon added_netif system:object_r:system:s0 system:object_r:system:s0
netifcon mod_ctx_netif added_user:object_r:system:s0 system:object_r:system:s0
netifcon mod_pkt_netif system:object_r:system:s0 added_user:object_r:system:s0
netifcon mod_both_netif added_user:object_r:system:s0 added_user:object_r:system:s0

nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0