1# handle_unknown deny 2class CLASS1 3class CLASS2 4class CLASS3 5class dir 6class file 7class process 8sid kernel 9common COMMON1 { CPERM1 } 10class CLASS1 { PERM1 ioctl } 11class CLASS2 inherits COMMON1 12class CLASS3 inherits COMMON1 { PERM1 } 13default_user { CLASS1 } source; 14default_role { CLASS2 } target; 15default_type { CLASS3 } source; 16policycap open_perms; 17attribute ATTR1; 18attribute ATTR2; 19expandattribute ATTR1 true; 20expandattribute ATTR2 false; 21type TYPE1; 22type TYPE2, ATTR1; 23type TYPE3 alias { TYPEALIAS3A TYPEALIAS3B }; 24type TYPE4 alias TYPEALIAS4, ATTR2; 25typealias TYPE1 alias TYPEALIAS1; 26typeattribute TYPE1 ATTR1; 27typebounds TYPE4 TYPE3; 28bool BOOL1 true; 29tunable TUNABLE1 false; 30tunable TUNABLE2 true; 31type_transition TYPE1 TYPE2 : CLASS1 TYPE3; 32type_transition { TYPE1 TYPE2 } { TYPE3 TYPE4 } : CLASS1 TYPE1 "FILENAME"; 33type_member TYPE1 TYPE2 : CLASS1 TYPE2; 34type_change TYPE1 TYPE2 : CLASS1 TYPE3; 35allow TYPE1 self : CLASS1 { PERM1 }; 36auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 }; 37dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 }; 38neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 }; 39allowxperm TYPE1 TYPE2 : CLASS1 ioctl { 0x456-0x5678 }; 40auditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2; 41dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3; 42neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4; 43permissive TYPE1; 44attribute_role ROLE_ATTR1; 45role ROLE1; 46role ROLE3; 47role ROLE2, ROLE_ATTR1; 48role_transition ROLE1 TYPE1 ROLE2; 49role_transition ROLE1 TYPE1 : CLASS1 ROLE2; 50allow ROLE1 ROLE2; 51roleattribute ROLE3 ROLE_ATTR1; 52role ROLE1 types { TYPE1 }; 53if ! BOOL1 { allow TYPE1 self: CLASS1 *; } 54if TUNABLE1 xor TUNABLE2 { allow TYPE1 self: CLASS2 *; } else { allow TYPE1 self: CLASS3 *; } 55optional { require { class CLASS2 { CPERM1 }; } allow TYPE1 self: CLASS2 *; } 56user USER1 roles ROLE1; 57constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2)); 58# sameuser will be turned into (u1 == u2) 59validatetrans CLASS2 sameuser and t3 == ATTR1; 60sid kernel USER1:ROLE1:TYPE1 61# fscon statements are not dumped 62fscon 2 3 USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1 63fs_use_xattr btrfs USER1:ROLE1:TYPE1; 64fs_use_trans devpts USER1:ROLE1:TYPE1; 65fs_use_task pipefs USER1:ROLE1:TYPE1; 66# paths will be turned into quoted strings 67genfscon proc / -d USER1:ROLE1:TYPE1 68genfscon proc "/file1" -- USER1:ROLE1:TYPE1 69genfscon proc "/path/to/file" USER1:ROLE1:TYPE1 70portcon tcp 80 USER1:ROLE1:TYPE1 71portcon udp 100-200 USER1:ROLE1:TYPE1 72netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1 73nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1 74nodecon 127.0.0.0/24 USER1:ROLE1:TYPE1 75nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1 76nodecon ff80::/16 USER1:ROLE1:TYPE1 77# hex numbers will be turned in decimal ones 78ibpkeycon fe80:: 0xFFFF USER1:ROLE1:TYPE1 79ibpkeycon fe80:: 0-0x10 USER1:ROLE1:TYPE1 80ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1 81ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1 82