setools/tests/commonquery.conf

class infoflow
class null
class rw

sid kernel
sid security

common test1
{
    hi_w
    hi_r
    super_r
    super_w
}

common test2a
{
    send
    recv
}

common test2b
{
    sig
}

common test10a
{
    null
}

common test10b
{
    null
    ping
}

common test11a
{
    read
    write
}

common test11b
{
    read
}

common test11c
{
    write
}

common test12a
{
    signal
    sigchld
}

common test12b
{
    sigkill
}

class infoflow
inherits test1

class null
inherits test10a

class rw
inherits test11a

sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;

dominance { low_s med high_s }

category here;
category there;
category elsewhere alias lost;

#level decl
level low_s:here.there;
level med:here, elsewhere;
level high_s:here.lost;

#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));

attribute mls_exempt;

type system;
role system;
role system types system;

allow system system:infoflow hi_r;

#users
user system roles system level med range low_s - high_s:here.lost;

#normal constraints
constrain infoflow hi_w (u1 == u2);

#isids
sid kernel system:system:system:medium_s:here
sid security system:system:system:high_s:lost

#fs_use
fs_use_trans devpts system:object_r:system:low_s;
fs_use_xattr ext3 system:object_r:system:low_s;
fs_use_task pipefs system:object_r:system:low_s;

#genfscon
genfscon proc / system:object_r:system:med
genfscon proc /sys system:object_r:system:low_s
genfscon selinuxfs / system:object_r:system:high_s:here.there

portcon tcp 80 system:object_r:system:low_s

netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s

nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here