class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7

sid kernel
sid security

common infoflow
{
	low_w
	med_w
	hi_w
	low_r
	med_r
	hi_r
}

class infoflow
inherits infoflow

class infoflow2
inherits infoflow
{
	super_w
	super_r
}

class infoflow3
{
	null
}

class infoflow4
inherits infoflow

class infoflow5
inherits infoflow

class infoflow6
inherits infoflow

class infoflow7
inherits infoflow
{
	super_w
	super_r
	super_none
	super_both
	super_unmapped
}

sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;

dominance { low_s med high_s }

category here;
category there;
category elsewhere alias lost;

#level decl
level low_s:here.there;
level med:here, elsewhere;
level high_s:here.lost;

#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;

type system;
role system;
role system types system;

################################################################################
# Type enforcement declarations and rules

########################################
#
# TE Rule Query
#

# test 1
# ruletype: unset
# source: test1a, direct, no regex
# target: unset
# class: unset
# perms: unset
attribute test1a;
type test1s, test1a;
type test1t;
type test1FAIL, test1a;
allow test1a test1t:infoflow hi_w;
allow test1FAIL self:infoflow hi_w;

# test 2
# ruletype: unset
# source: test2s, indirect, no regex
# target: unset
# class: unset
# perms: unset
attribute test2a;
type test2s, test2a;
type test2t;
allow test2a test2t:infoflow hi_w;
#allow test2s test2t:infoflow low_r;

# test 3
# ruletype: unset
# source: test3a.*, direct, regex
# target: unset
# class: unset
# perms: unset
attribute test3aS;
attribute test3b;
type test3s, test3aS;
type test3t;
type test3aFAIL, test3b;
allow test3s  test3t:infoflow hi_w;
allow test3aS test3t:infoflow low_r;
allow test3b  test3t:infoflow med_w;

# test 4
# ruletype: unset
# source: test4(s|t), indirect, regex
# target: unset
# class: unset
# perms: unset
attribute test4a1;
attribute test4a2;
type test4s1, test4a1;
type test4t1, test4a2;
type test4FAIL;
allow test4a1 test4a1:infoflow hi_w;
allow test4a2 test4a2:infoflow low_r;
allow test4FAIL self:infoflow med_w;

# test 5
# ruletype: unset
# source: unset
# target: test5a, direct, no regex
# class: unset
# perms: unset
attribute test5a;
type test5s;
type test5t, test5a;
allow test5s test5a:infoflow hi_w;
allow test5s test5t:infoflow hi_w;

# test 6
# ruletype: unset
# source: unset
# target: test6t, indirect, no regex
# class: unset
# perms: unset
attribute test6a;
type test6s;
type test6t, test6a;
allow test6s test6a:infoflow hi_w;
allow test6s test6t:infoflow low_r;

# test 7
# ruletype: unset
# source: unset
# target: test7a.*, direct, regex
# class: unset
# perms: unset
attribute test7aPASS;
attribute test7b;
type test7s;
type test7t, test7aPASS;
type test7aFAIL, test7b;
allow test7s  test7t:infoflow hi_w;
allow test7s test7aPASS:infoflow low_r;
allow test7s  test7b:infoflow med_w;

# test 8
# ruletype: unset
# source: unset
# target: test8(s|t), indirect, regex
# class: unset
# perms: unset
attribute test8a1;
attribute test8a2;
type test8s1, test8a1;
type test8t1, test8a2;
type test8FAIL;
allow test8a1 test8a1:infoflow hi_w;
allow test8a2 test8a2:infoflow low_r;
allow test8FAIL self:infoflow med_w;

# test 9
# ruletype: unset
# source: unset
# target: unset
# class: infoflow2, no regex
# perms: unset
type test9;
allow test9 self:infoflow hi_w;
allow test9 self:infoflow2 super_w;

# test 10
# ruletype: unset
# source: unset
# target: unset
# class: infoflow3,infoflow4 , no regex
# perms: unset
type test10;
allow test10 self:infoflow hi_w;
allow test10 self:infoflow4 hi_w;
allow test10 self:infoflow3 null;

# test 11
# ruletype: unset
# source: unset
# target: unset
# class: infoflow(5|6), regex
# perms: unset
type test11;
allow test11 self:infoflow hi_w;
allow test11 self:infoflow5 low_w;
allow test11 self:infoflow6 med_r;

# test 12
# ruletype: unset
# source: unset
# target: unset
# class: unset
# perms: super_r, any
type test12a;
type test12b;
allow test12a self:infoflow7 super_r;
allow test12b self:infoflow7 { super_r super_none };

# test 13
# ruletype: unset
# source: unset
# target: unset
# class: unset
# perms: super_w,super_none,super_both equal
type test13a;
type test13b;
type test13c;
type test13d;
allow test13a self:infoflow7 super_w;
allow test13b self:infoflow7 { super_w super_none };
allow test13c self:infoflow7 { super_w super_none super_both };
allow test13d self:infoflow7 { super_w super_none super_both super_unmapped };

# test 14
# ruletype: dontaudit,auditallow
# source: unset
# target: unset
# class: unset
# perms: unset
type test14;
auditallow test14 self:infoflow7 super_both;
dontaudit test14 self:infoflow7 super_unmapped;


# test 100
# ruletype: unset
# source: unset
# target: unset
# class: unset
# default: test100d
type test100;
type test100d;
type_transition test100 test100:infoflow7 test100d;

# test 101
# ruletype: unset
# source: unset
# target: unset
# class: unset
# default: test101.
type test101;
type test101d;
type test101e;
type_transition test101 test101d:infoflow7 test101e;
type_transition test101 test101e:infoflow7 test101d;


# test 200
# ruletype: unset
# source: unset
# target: unset
# class: unset
# default: unset
# boolean: test200
type test200t1;
type test200t2;
bool test200 false;
bool test200a true;
if (test200) {
allow test200t1 self:infoflow7 super_w;
}
if (test200 && test200a) {
allow test200t2 self:infoflow7 super_w;
}

# test 201
# ruletype: unset
# source: unset
# target: unset
# class: unset
# default: unset
# boolean: test201a test201b
type test201t1;
type test201t2;
bool test201a false;
bool test201b true;
if (test201a) {
allow test201t1 self:infoflow7 super_w;
}
if (test201b) {
allow test201t2 self:infoflow7 super_w;
}
if (test201a && test201b) {
allow test201t1 self:infoflow7 super_unmapped;
}

# test 202
# ruletype: unset
# source: unset
# target: unset
# class: unset
# default: unset
# boolean: test202(a|b)
type test202t1;
type test202t2;
bool test202a false;
bool test202b true;
bool test202c true;
if (test202a) {
allow test202t1 self:infoflow7 super_none;
}
if (test202c) {
allow test202t2 self:infoflow7 super_both;
}
if (test202c || test202b) {
allow test202t2 self:infoflow7 super_unmapped;
}

################################################################################

#users
user system roles system level med range low_s - high_s:here.lost;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:medium_s:here
sid security system:system:system:high_s:lost

#fs_use
fs_use_trans devpts system:object_r:system:low_s;
fs_use_xattr ext3 system:object_r:system:low_s;
fs_use_task pipefs system:object_r:system:low_s;

#genfscon
genfscon proc / system:object_r:system:med
genfscon proc /sys system:object_r:system:low_s
genfscon selinuxfs / system:object_r:system:high_s:here.there

portcon tcp 80 system:object_r:system:low_s

netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s

nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here