1# handle_unknown deny 2class CLASS1 3class CLASS2 4class CLASS3 5class dir 6class file 7class process 8sid kernel 9common COMMON1 { CPERM1 } 10class CLASS1 { PERM1 ioctl } 11class CLASS2 inherits COMMON1 12class CLASS3 inherits COMMON1 { PERM1 } 13default_user { CLASS1 } source; 14default_role { CLASS2 } target; 15default_type { CLASS3 } source; 16policycap open_perms; 17attribute ATTR1; 18attribute ATTR2; 19bool BOOL1 true; 20type TYPE1; 21type TYPE2; 22type TYPE3; 23type TYPE4; 24typealias TYPE1 alias TYPEALIAS1; 25typealias TYPE3 alias TYPEALIAS3A; 26typealias TYPE3 alias TYPEALIAS3B; 27typealias TYPE4 alias TYPEALIAS4; 28typebounds TYPE4 TYPE3; 29typeattribute TYPE4 ATTR2; 30permissive TYPE1; 31allow TYPE1 self:CLASS1 { PERM1 }; 32allow TYPE1 self:CLASS2 { CPERM1 }; 33auditallow TYPE1 TYPE3:CLASS1 { PERM1 }; 34auditallow TYPE2 TYPE3:CLASS1 { PERM1 }; 35dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 }; 36dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 }; 37allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x456-0x4ff }; 38allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x500-0x55ff }; 39allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x5600-0x5678 }; 40auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 }; 41dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 }; 42type_transition TYPE1 TYPE2:CLASS1 TYPE3; 43type_member TYPE1 TYPE2:CLASS1 TYPE2; 44type_change TYPE1 TYPE2:CLASS1 TYPE3; 45type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME"; 46type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME"; 47type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME"; 48type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME"; 49if (BOOL1) { 50} else { 51 allow TYPE1 self:CLASS1 { PERM1 ioctl }; 52} 53role ROLE1; 54role ROLE2; 55role ROLE3; 56role ROLE1 types { TYPE1 }; 57role_transition ROLE1 TYPE1:CLASS1 ROLE2; 58role_transition ROLE1 TYPE1:process ROLE2; 59allow ROLE1 ROLE2; 60user USER1 roles ROLE1; 61constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2)); 62validatetrans CLASS2 (u1 == u2 and t3 == ATTR1); 63sid kernel USER1:ROLE1:TYPE1 64fs_use_xattr btrfs USER1:ROLE1:TYPE1; 65fs_use_trans devpts USER1:ROLE1:TYPE1; 66fs_use_task pipefs USER1:ROLE1:TYPE1; 67genfscon proc "/" -d USER1:ROLE1:TYPE1 68genfscon proc "/file1" -- USER1:ROLE1:TYPE1 69genfscon proc "/path/to/file" USER1:ROLE1:TYPE1 70portcon tcp 80 USER1:ROLE1:TYPE1 71portcon udp 100-200 USER1:ROLE1:TYPE1 72netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1 73nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1 74nodecon 127.0.0.0 255.255.255.0 USER1:ROLE1:TYPE1 75nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1 76nodecon ff80:: ffff:: USER1:ROLE1:TYPE1 77ibpkeycon fe80:: 65535 USER1:ROLE1:TYPE1 78ibpkeycon fe80:: 0-16 USER1:ROLE1:TYPE1 79ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1 80ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1 81