class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
class added_class
class modified_add_perm
class modified_remove_perm
class modified_change_common

sid kernel
sid security
sid unlabeled
sid fs
sid file
sid file_labels

common infoflow
{
	low_w
	med_w
	hi_w
	low_r
	med_r
	hi_r
    ioctl
}

common added_common
{
    new_com
}

common modified_remove_perm
{
    same_perm
}

common modified_add_perm
{
    matched_perm
    added_perm
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
	super_w
	super_r
}

class infoflow3
{
	null
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
	super_w
	super_r
	super_none
	super_both
	super_unmapped
}

class added_class
{
    new_class_perm
}

class modified_add_perm
{
    same_perm
    added_perm
}

class modified_remove_perm
{
    same_perm
}

class modified_change_common
inherits added_common

# matching defaults:
default_user infoflow source;
default_role infoflow source;
default_type infoflow source;
default_range infoflow source low;

# added:
default_user infoflow2 target;
default_range infoflow2 source low;

# removed:

# modified:
default_type infoflow4 target;
default_range infoflow4 target low;

# modified range:
default_range infoflow5 target high;

# modified both
default_range infoflow6 target low;

sensitivity s0 alias { al1 };
sensitivity s1 alias { al3 al4 };
sensitivity s2;
sensitivity s3;
sensitivity s40;
sensitivity s41;
sensitivity s42;
sensitivity s43;
sensitivity s44;
sensitivity s45;
sensitivity s46;

dominance { s0 s1 s2 s3 s40 s41 s42 s43 s44 s45 s46 }

category c0 alias { spam };
category c1 alias { foo bar };
category c2;
category c3;
category c4;
category c6;

#level decl
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s40:c1,c3;
level s41:c0.c3;
level s42:c0.c4;
level s43:c0.c4;
level s44:c0.c4;
level s45:c0.c4;
level s46:c0.c4;

# matching mls constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

# added mls constraint
mlsconstrain infoflow3 null ((l1 domby l2 and h1 domby h2) or (t1 != mls_exempt));

# removed mls constraint

# remove/add mls constraint (expression change)
mlsconstrain infoflow5 hi_r ((l1 domby l2 and h1 incomp h2) or (t1 == mls_exempt));

# matching mls validatetrans
mlsvalidatetrans infoflow (h1 == h2 or t3 == system);

# added mls validatetrans
mlsvalidatetrans infoflow3 ((l1 == l2 and h1 == h2) or t3 == mls_exempt);

# removed mls validatetrans

# remove/add mls validatetrans (expression change)
mlsvalidatetrans infoflow5 ((l1 incomp l2 and h1 domby h2) or (t3 == mls_exempt));

attribute mls_exempt;
attribute an_attr;
attribute added_attr;

type system;
role system;
role system types system;

################################################################################
# Type enforcement declarations and rules

type added_type;

type modified_remove_attr;

type modified_remove_alias;

type modified_remove_permissive;

type modified_add_attr, an_attr;

type modified_add_alias alias an_alias;

type modified_add_permissive;
permissive modified_add_permissive;

role added_role;

role modified_add_type;
role modified_add_type types { system };

role modified_remove_type;

# booleans
bool same_bool true;
bool added_bool true;
bool modified_bool true;

# Allow rule differences
type matched_source;
type matched_target;
allow matched_source matched_target:infoflow hi_w;

type removed_rule_source;
type removed_rule_target;

type added_rule_source;
type added_rule_target;
allow added_rule_source added_rule_target:infoflow med_w;

type modified_rule_add_perms;
allow modified_rule_add_perms self:infoflow { hi_r hi_w };

type modified_rule_remove_perms;
allow modified_rule_remove_perms self:infoflow low_w;

type modified_rule_add_remove_perms;
allow modified_rule_add_remove_perms self:infoflow2 { low_w super_r };

allow added_type self:infoflow2 med_w;

type move_to_bool;
bool move_to_bool_b false;
if (move_to_bool_b) {
allow move_to_bool self:infoflow4 hi_w;
}

type move_from_bool;
bool move_from_bool_b false;
allow move_from_bool self:infoflow4 hi_r;

type switch_block;
bool switch_block_b false;
if (switch_block_b) {
allow system switch_block:infoflow5 hi_r;
} else {
allow system switch_block:infoflow6 hi_r;
allow system switch_block:infoflow7 hi_r;
}

attribute match_rule_by_attr;
type match_rule_by_attr_A_t, match_rule_by_attr;
type match_rule_by_attr_B_t, match_rule_by_attr;
allow match_rule_by_attr_A_t self:infoflow2 super_w;
allow match_rule_by_attr_B_t self:infoflow2 super_w;

attribute union_perm_a;
attribute union_perm_b;
attribute union_perm_c;
type union_perm_source, union_perm_a, union_perm_c;
type union_perm_target, union_perm_b;
allow union_perm_a union_perm_b:infoflow hi_w;
allow union_perm_c union_perm_target:infoflow med_w;
allow union_perm_source union_perm_target:infoflow low_w;

# Auditallow rule differences
type aa_matched_source;
type aa_matched_target;
auditallow aa_matched_source aa_matched_target:infoflow hi_w;

type aa_removed_rule_source;
type aa_removed_rule_target;

type aa_added_rule_source;
type aa_added_rule_target;
auditallow aa_added_rule_source aa_added_rule_target:infoflow med_w;

type aa_modified_rule_add_perms;
auditallow aa_modified_rule_add_perms self:infoflow { hi_r hi_w };

type aa_modified_rule_remove_perms;
auditallow aa_modified_rule_remove_perms self:infoflow low_w;

type aa_modified_rule_add_remove_perms;
auditallow aa_modified_rule_add_remove_perms self:infoflow2 { low_w super_r };

auditallow added_type self:infoflow7 super_none;

type aa_move_to_bool;
bool aa_move_to_bool_b false;
if (aa_move_to_bool_b) {
auditallow aa_move_to_bool self:infoflow4 hi_w;
}

type aa_move_from_bool;
bool aa_move_from_bool_b false;
auditallow aa_move_from_bool self:infoflow4 hi_r;

type aa_switch_block;
bool aa_switch_block_b false;
if (aa_switch_block_b) {
auditallow system aa_switch_block:infoflow5 hi_r;
} else {
auditallow system aa_switch_block:infoflow6 hi_r;
auditallow system aa_switch_block:infoflow7 hi_r;
}

attribute aa_match_rule_by_attr;
type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
auditallow aa_match_rule_by_attr_A_t self:infoflow2 super_w;
auditallow aa_match_rule_by_attr_B_t self:infoflow2 super_w;

attribute aa_union_perm_a;
attribute aa_union_perm_b;
attribute aa_union_perm_c;
type aa_union_perm_source, aa_union_perm_a, aa_union_perm_c;
type aa_union_perm_target, aa_union_perm_b;
auditallow aa_union_perm_a aa_union_perm_b:infoflow hi_w;
auditallow aa_union_perm_c aa_union_perm_target:infoflow med_w;
auditallow aa_union_perm_source aa_union_perm_target:infoflow low_w;

# Dontaudit rule differences
type da_matched_source;
type da_matched_target;
dontaudit da_matched_source da_matched_target:infoflow hi_w;

type da_removed_rule_source;
type da_removed_rule_target;

type da_added_rule_source;
type da_added_rule_target;
dontaudit da_added_rule_source da_added_rule_target:infoflow med_w;

type da_modified_rule_add_perms;
dontaudit da_modified_rule_add_perms self:infoflow { hi_r hi_w };

type da_modified_rule_remove_perms;
dontaudit da_modified_rule_remove_perms self:infoflow low_w;

type da_modified_rule_add_remove_perms;
dontaudit da_modified_rule_add_remove_perms self:infoflow2 { low_w super_r };

dontaudit added_type self:infoflow7 super_none;

type da_move_to_bool;
bool da_move_to_bool_b false;
if (da_move_to_bool_b) {
dontaudit da_move_to_bool self:infoflow4 hi_w;
}

type da_move_from_bool;
bool da_move_from_bool_b false;
dontaudit da_move_from_bool self:infoflow4 hi_r;

type da_switch_block;
bool da_switch_block_b false;
if (da_switch_block_b) {
dontaudit system da_switch_block:infoflow5 hi_r;
} else {
dontaudit system da_switch_block:infoflow6 hi_r;
dontaudit system da_switch_block:infoflow7 hi_r;
}

attribute da_match_rule_by_attr;
type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
dontaudit da_match_rule_by_attr_A_t self:infoflow2 super_w;
dontaudit da_match_rule_by_attr_B_t self:infoflow2 super_w;

attribute da_union_perm_a;
attribute da_union_perm_b;
attribute da_union_perm_c;
type da_union_perm_source, da_union_perm_a, da_union_perm_c;
type da_union_perm_target, da_union_perm_b;
dontaudit da_union_perm_a da_union_perm_b:infoflow hi_w;
dontaudit da_union_perm_c da_union_perm_target:infoflow med_w;
dontaudit da_union_perm_source da_union_perm_target:infoflow low_w;

# Neverallow rule differences
type na_matched_source;
type na_matched_target;
neverallow na_matched_source na_matched_target:infoflow hi_w;

type na_removed_rule_source;
type na_removed_rule_target;

type na_added_rule_source;
type na_added_rule_target;
neverallow na_added_rule_source na_added_rule_target:infoflow med_w;

type na_modified_rule_add_perms;
neverallow na_modified_rule_add_perms self:infoflow { hi_r hi_w };

type na_modified_rule_remove_perms;
neverallow na_modified_rule_remove_perms self:infoflow low_w;

type na_modified_rule_add_remove_perms;
neverallow na_modified_rule_add_remove_perms self:infoflow2 { low_w super_r };

neverallow added_type self:added_class new_class_perm;

attribute na_match_rule_by_attr;
type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
neverallow na_match_rule_by_attr_A_t self:infoflow2 super_w;
neverallow na_match_rule_by_attr_B_t self:infoflow2 super_w;

attribute na_union_perm_a;
attribute na_union_perm_b;
attribute na_union_perm_c;
type na_union_perm_source, na_union_perm_a, na_union_perm_c;
type na_union_perm_target, na_union_perm_b;
neverallow na_union_perm_a na_union_perm_b:infoflow hi_w;
neverallow na_union_perm_c na_union_perm_target:infoflow med_w;
neverallow na_union_perm_source na_union_perm_target:infoflow low_w;

# type_transition rule differences
type tt_matched_source;
type tt_matched_target;
type_transition tt_matched_source tt_matched_target:infoflow system;

type tt_removed_rule_source;
type tt_removed_rule_target;

type tt_added_rule_source;
type tt_added_rule_target;
type_transition tt_added_rule_source tt_added_rule_target:infoflow system;

type tt_old_type;
type tt_new_type;
type_transition tt_matched_source system:infoflow tt_new_type;

type_transition added_type system:infoflow4 system;

type tt_move_to_bool;
bool tt_move_to_bool_b false;
if (tt_move_to_bool_b) {
type_transition tt_move_to_bool system:infoflow3 system;
}

type tt_move_from_bool;
bool tt_move_from_bool_b false;
type_transition tt_move_from_bool system:infoflow4 system;

type tt_switch_block;
bool tt_switch_block_b false;
if (tt_switch_block_b) {
type_transition system tt_switch_block:infoflow5 system;
} else {
type_transition system tt_switch_block:infoflow6 system;
type_transition system tt_switch_block:infoflow7 system;
}

attribute tt_match_rule_by_attr;
type tt_match_rule_by_attr_A_t, tt_match_rule_by_attr;
type tt_match_rule_by_attr_B_t, tt_match_rule_by_attr;
type_transition tt_match_rule_by_attr system:infoflow2 system;

attribute tt_unioned_perm_via_attr;
type tt_unioned_perm_via_attr_A_t, tt_unioned_perm_via_attr;
type tt_unioned_perm_via_attr_B_t, tt_unioned_perm_via_attr;
type_transition tt_unioned_perm_via_attr system:infoflow2 system;
type_transition tt_unioned_perm_via_attr_A_t system:infoflow2 system;
type_transition tt_unioned_perm_via_attr_B_t system:infoflow2 system;

# type_change rule differences
type tc_matched_source;
type tc_matched_target;
type_change tc_matched_source tc_matched_target:infoflow system;

type tc_removed_rule_source;
type tc_removed_rule_target;

type tc_added_rule_source;
type tc_added_rule_target;
type_change tc_added_rule_source tc_added_rule_target:infoflow system;

type tc_old_type;
type tc_new_type;
type_change tc_matched_source system:infoflow tc_new_type;

type_change added_type system:infoflow4 system;

type tc_move_to_bool;
bool tc_move_to_bool_b false;
if (tc_move_to_bool_b) {
type_change tc_move_to_bool system:infoflow3 system;
}

type tc_move_from_bool;
bool tc_move_from_bool_b false;
type_change tc_move_from_bool system:infoflow4 system;

type tc_switch_block;
bool tc_switch_block_b false;
if (tc_switch_block_b) {
type_change system tc_switch_block:infoflow5 system;
} else {
type_change system tc_switch_block:infoflow6 system;
type_change system tc_switch_block:infoflow7 system;
}

attribute tc_match_rule_by_attr;
type tc_match_rule_by_attr_A_t, tc_match_rule_by_attr;
type tc_match_rule_by_attr_B_t, tc_match_rule_by_attr;
type_change tc_match_rule_by_attr system:infoflow2 system;

attribute tc_unioned_perm_via_attr;
type tc_unioned_perm_via_attr_A_t, tc_unioned_perm_via_attr;
type tc_unioned_perm_via_attr_B_t, tc_unioned_perm_via_attr;
type_change tc_unioned_perm_via_attr system:infoflow2 system;
type_change tc_unioned_perm_via_attr_A_t system:infoflow2 system;
type_change tc_unioned_perm_via_attr_B_t system:infoflow2 system;

# type_member rule differences
type tm_matched_source;
type tm_matched_target;
type_member tm_matched_source tm_matched_target:infoflow system;

type tm_removed_rule_source;
type tm_removed_rule_target;

type tm_added_rule_source;
type tm_added_rule_target;
type_member tm_added_rule_source tm_added_rule_target:infoflow system;

type tm_old_type;
type tm_new_type;
type_member tm_matched_source system:infoflow tm_new_type;

type_member added_type system:infoflow4 system;

type tm_move_to_bool;
bool tm_move_to_bool_b false;
if (tm_move_to_bool_b) {
type_member tm_move_to_bool system:infoflow3 system;
}

type tm_move_from_bool;
bool tm_move_from_bool_b false;
type_member tm_move_from_bool system:infoflow4 system;

type tm_switch_block;
bool tm_switch_block_b false;
if (tm_switch_block_b) {
type_member system tm_switch_block:infoflow5 system;
} else {
type_member system tm_switch_block:infoflow6 system;
type_member system tm_switch_block:infoflow7 system;
}

attribute tm_match_rule_by_attr;
type tm_match_rule_by_attr_A_t, tm_match_rule_by_attr;
type tm_match_rule_by_attr_B_t, tm_match_rule_by_attr;
type_member tm_match_rule_by_attr system:infoflow2 system;

attribute tm_unioned_perm_via_attr;
type tm_unioned_perm_via_attr_A_t, tm_unioned_perm_via_attr;
type tm_unioned_perm_via_attr_B_t, tm_unioned_perm_via_attr;
type_member tm_unioned_perm_via_attr system:infoflow2 system;
type_member tm_unioned_perm_via_attr_A_t system:infoflow2 system;
type_member tm_unioned_perm_via_attr_B_t system:infoflow2 system;

# range_transition rule differences
type rt_matched_source;
type rt_matched_target;
range_transition rt_matched_source rt_matched_target:infoflow s0;

type rt_removed_rule_source;
type rt_removed_rule_target;

type rt_added_rule_source;
type rt_added_rule_target;
range_transition rt_added_rule_source rt_added_rule_target:infoflow s3;

range_transition rt_matched_source system:infoflow s0:c0,c4 - s1:c0.c2,c4;

range_transition added_type system:infoflow4 s3;

# range transitions cannot be conditional.
#type rt_move_to_bool;
#bool rt_move_to_bool_b false;
#if (rt_move_to_bool_b) {
#range_transition rt_move_to_bool system:infoflow3 s0;
#}

#type rt_move_from_bool;
#bool rt_move_from_bool_b false;
#range_transition rt_move_from_bool system:infoflow4 s0;

#type rt_switch_block;
#bool rt_switch_block_b false;
#if (rt_switch_block_b) {
#range_transition system rt_switch_block:infoflow5 s0;
#} else {
#range_transition system rt_switch_block:infoflow6 s0;
#range_transition system rt_switch_block:infoflow7 s0;
#}

attribute rt_match_rule_by_attr;
type rt_match_rule_by_attr_A_t, rt_match_rule_by_attr;
type rt_match_rule_by_attr_B_t, rt_match_rule_by_attr;
range_transition rt_match_rule_by_attr system:infoflow2 s0;

attribute rt_unioned_perm_via_attr;
type rt_unioned_perm_via_attr_A_t, rt_unioned_perm_via_attr;
type rt_unioned_perm_via_attr_B_t, rt_unioned_perm_via_attr;
range_transition rt_unioned_perm_via_attr system:infoflow2 s0;
range_transition rt_unioned_perm_via_attr_B_t system:infoflow2 s0;

# role allow
role matched_source_r;
role matched_target_r;
allow matched_source_r matched_target_r;

role removed_rule_source_r;
role removed_rule_target_r;

role added_rule_source_r;
role added_rule_target_r;
allow added_rule_source_r added_rule_target_r;

allow added_role system;

# role_transition
role role_tr_matched_source;
type role_tr_matched_target;
role_transition role_tr_matched_source role_tr_matched_target:infoflow system;

role role_tr_removed_rule_source;
type role_tr_removed_rule_target;

role role_tr_added_rule_source;
type role_tr_added_rule_target;
role_transition role_tr_added_rule_source role_tr_added_rule_target:infoflow6 system;

role_transition added_role system:infoflow4 system;

role role_tr_old_role;
role role_tr_new_role;
role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_new_role;

# Allowxperm rule differences
type ax_matched_source;
type ax_matched_target;
allowxperm ax_matched_source ax_matched_target:infoflow ioctl 0x0001;

type ax_removed_rule_source;
type ax_removed_rule_target;

type ax_added_rule_source;
type ax_added_rule_target;
allowxperm ax_added_rule_source ax_added_rule_target:infoflow ioctl 0x0002;

type ax_modified_rule_add_perms;
allowxperm ax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };

type ax_modified_rule_remove_perms;
allowxperm ax_modified_rule_remove_perms self:infoflow ioctl 0x0005;

type ax_modified_rule_add_remove_perms;
allowxperm ax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };

allowxperm added_type self:infoflow7 ioctl 0x0009;

attribute ax_match_rule_by_attr;
type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr;
type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
allowxperm ax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
allowxperm ax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;

attribute ax_union_perm_a;
attribute ax_union_perm_b;
attribute ax_union_perm_c;
type ax_union_perm_source, ax_union_perm_a, ax_union_perm_c;
type ax_union_perm_target, ax_union_perm_b;
allowxperm ax_union_perm_a ax_union_perm_b:infoflow ioctl 0x1;
allowxperm ax_union_perm_c ax_union_perm_target:infoflow ioctl 0x2;
allowxperm ax_union_perm_source ax_union_perm_target:infoflow ioctl 0x3;

# Auditallowxperm rule differences
type aax_matched_source;
type aax_matched_target;
auditallowxperm aax_matched_source aax_matched_target:infoflow ioctl 0x0001;

type aax_removed_rule_source;
type aax_removed_rule_target;

type aax_added_rule_source;
type aax_added_rule_target;
auditallowxperm aax_added_rule_source aax_added_rule_target:infoflow ioctl 0x0002;

type aax_modified_rule_add_perms;
auditallowxperm aax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };

type aax_modified_rule_remove_perms;
auditallowxperm aax_modified_rule_remove_perms self:infoflow ioctl 0x0005;

type aax_modified_rule_add_remove_perms;
auditallowxperm aax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };

auditallowxperm added_type self:infoflow7 ioctl 0x0009;

attribute aax_match_rule_by_attr;
type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr;
type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
auditallowxperm aax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
auditallowxperm aax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;

attribute aax_union_perm_a;
attribute aax_union_perm_b;
attribute aax_union_perm_c;
type aax_union_perm_source, aax_union_perm_a, aax_union_perm_c;
type aax_union_perm_target, aax_union_perm_b;
auditallowxperm aax_union_perm_a aax_union_perm_b:infoflow ioctl 0x1;
auditallowxperm aax_union_perm_c aax_union_perm_target:infoflow ioctl 0x2;
auditallowxperm aax_union_perm_source aax_union_perm_target:infoflow ioctl 0x3;

# Neverallowxperm rule differences
type nax_matched_source;
type nax_matched_target;
neverallowxperm nax_matched_source nax_matched_target:infoflow ioctl 0x0001;

type nax_removed_rule_source;
type nax_removed_rule_target;

type nax_added_rule_source;
type nax_added_rule_target;
neverallowxperm nax_added_rule_source nax_added_rule_target:infoflow ioctl 0x0002;

type nax_modified_rule_add_perms;
neverallowxperm nax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };

type nax_modified_rule_remove_perms;
neverallowxperm nax_modified_rule_remove_perms self:infoflow ioctl 0x0005;

type nax_modified_rule_add_remove_perms;
neverallowxperm nax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };

neverallowxperm added_type self:infoflow7 ioctl 0x0009;

attribute nax_match_rule_by_attr;
type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr;
type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
neverallowxperm nax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
neverallowxperm nax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;

attribute nax_union_perm_a;
attribute nax_union_perm_b;
attribute nax_union_perm_c;
type nax_union_perm_source, nax_union_perm_a, nax_union_perm_c;
type nax_union_perm_target, nax_union_perm_b;
neverallowxperm nax_union_perm_a nax_union_perm_b:infoflow ioctl 0x1;
neverallowxperm nax_union_perm_c nax_union_perm_target:infoflow ioctl 0x2;
neverallowxperm nax_union_perm_source nax_union_perm_target:infoflow ioctl 0x3;

# Dontauditxperm rule differences
type dax_matched_source;
type dax_matched_target;
dontauditxperm dax_matched_source dax_matched_target:infoflow ioctl 0x0001;

type dax_removed_rule_source;
type dax_removed_rule_target;

type dax_added_rule_source;
type dax_added_rule_target;
dontauditxperm dax_added_rule_source dax_added_rule_target:infoflow ioctl 0x0002;

type dax_modified_rule_add_perms;
dontauditxperm dax_modified_rule_add_perms self:infoflow ioctl { 0x0004 0x000f };

type dax_modified_rule_remove_perms;
dontauditxperm dax_modified_rule_remove_perms self:infoflow ioctl 0x0005;

type dax_modified_rule_add_remove_perms;
dontauditxperm dax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0006 0x0008 };

dontauditxperm added_type self:infoflow7 ioctl 0x0009;

attribute dax_match_rule_by_attr;
type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr;
type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
dontauditxperm dax_match_rule_by_attr_A_t self:infoflow2 ioctl 0x000a;
dontauditxperm dax_match_rule_by_attr_B_t self:infoflow2 ioctl 0x000a;

attribute dax_union_perm_a;
attribute dax_union_perm_b;
attribute dax_union_perm_c;
type dax_union_perm_source, dax_union_perm_a, dax_union_perm_c;
type dax_union_perm_target, dax_union_perm_b;
dontauditxperm dax_union_perm_a dax_union_perm_b:infoflow ioctl 0x1;
dontauditxperm dax_union_perm_c dax_union_perm_target:infoflow ioctl 0x2;
dontauditxperm dax_union_perm_source dax_union_perm_target:infoflow ioctl 0x3;

################################################################################
# matching typebounds
type match_parent;
type match_child;
typebounds match_parent match_child;

# removed typebounds
type removed_parent;
type removed_child;

# added typebounds
type added_parent;
type added_child;
typebounds added_parent added_child;

# modified typebounds
type mod_parent_removed;
type mod_parent_added;
type mod_child;
typebounds mod_parent_added mod_child;

# policycaps
policycap open_perms;
policycap always_check_network;

#users
user system roles system level s0 range s0;

user added_user roles system level s1 range s1;

user modified_add_role roles { system added_role } level s2 range s2;
user modified_remove_role roles system level s2 range s2;
user modified_change_level roles system level s2:c1 range s2:c1 - s2:c0,c1;
user modified_change_range roles system level s3:c1 range s3:c1 - s3:c1.c4;

# matching constraints
constrain infoflow hi_w (u1 == u2 or t1 == system);
constrain infoflow hi_w (t1 == t2 or t1 == system);
constrain infoflow hi_r (r1 == r2 or t1 == system);

# added constraint
constrain infoflow3 null (u1 != u2);

# removed constraint

# remove/add constraint (expression change)
constrain infoflow5 hi_r ((u1 == u2 and r1 == r2) or (t1 != system));

# matching validatetrans
validatetrans infoflow (u1 == u2 or t3 == system);
validatetrans infoflow (r1 == r2 or t3 == system);
validatetrans infoflow2 (u1 == u2 or t3 == system);

# added validatetrans
validatetrans infoflow3 (t1 == t2 or t3 == system);

# removed validatetrans

# remove/add validatetrans (expression change)
validatetrans infoflow5 ((u1 != u2 and r1 == r2) or (t3 == system));

#isids
sid kernel system:system:system:s0
sid security system:system:system:s0
sid unlabeled system:system:system:s0
sid fs system:system:system:s0
sid file system:system:system:s0
sid file_labels added_user:system:system:s1

#fs_use
fs_use_trans devpts system:object_r:system:s0;
fs_use_xattr ext3 system:object_r:system:s0;
fs_use_task pipefs system:object_r:system:s0;
fs_use_xattr added_fsuse system:object_r:system:s0;
fs_use_trans modified_fsuse added_user:object_r:system:s1;

#genfscon
genfscon proc / system:object_r:system:s0
genfscon proc /sys system:object_r:system:s0
genfscon selinuxfs / system:object_r:system:s0
genfscon added_genfs / added_user:object_r:system:s0
genfscon change_path /new system:object_r:system:s0
genfscon modified_genfs / -s added_user:object_r:system:s0

# matched portcons
portcon tcp 80 system:object_r:system:s0
portcon udp 80 system:object_r:system:s0
portcon udp 30-40 system:object_r:system:s0

# added portcons
portcon udp 2024 system:object_r:system:s0
portcon tcp 2024-2026 system:object_r:system:s0

# modified portcons
portcon udp 3024 added_user:object_r:system:s1
portcon tcp 3024-3026 added_user:object_r:system:s1

netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
netifcon added_netif system:object_r:system:s0 system:object_r:system:s0
netifcon mod_ctx_netif added_user:object_r:system:s0 system:object_r:system:s0
netifcon mod_pkt_netif system:object_r:system:s0 added_user:object_r:system:s0
netifcon mod_both_netif added_user:object_r:system:s0 added_user:object_r:system:s0

# matched nodecons
nodecon 121.0.0.0 255.0.0.0 system:object_r:system:s0
nodecon ff01:: ffff:ffff:ffff:fffc:: system:object_r:system:s0

# added nodecons
nodecon 124.0.0.0 255.0.0.0 added_user:object_r:system:s0
nodecon ff04:: ffff:ffff:ffff:fffc:: added_user:object_r:system:s0

# modified nodecons
nodecon 123.0.0.0 255.0.0.0 modified_change_level:object_r:system:s2:c0
nodecon ff03:: ffff:ffff:ffff:fffc:: modified_change_level:object_r:system:s2:c1

# change netmask (add/remove)
nodecon 125.0.0.0 255.255.0.0 system:object_r:system:s0
nodecon ff05:: ffff:ffff:ffff:fff0:: system:object_r:system:s0