1# handle_unknown deny 2class CLASS1 3class CLASS2 4class CLASS3 5class dir 6class file 7class process 8sid kernel 9common COMMON1 { CPERM1 } 10class CLASS1 { PERM1 ioctl } 11class CLASS2 inherits COMMON1 12class CLASS3 inherits COMMON1 { PERM1 } 13default_user { CLASS1 } source; 14default_role { CLASS2 } target; 15default_type { CLASS3 } source; 16sensitivity s0; 17sensitivity s1; 18sensitivity s2 alias SENSALIAS; 19dominance { s0 s1 SENSALIAS } 20category c0; 21category c1 alias CATALIAS; 22level s0:c0; 23level s1:c0,c1; 24level s2; 25mlsconstrain CLASS1 { PERM1 } l1 == l2; 26mlsvalidatetrans CLASS1 r1 domby r2 and l1 incomp h2; 27policycap open_perms; 28attribute ATTR1; 29attribute ATTR2; 30expandattribute ATTR1 true; 31expandattribute ATTR2 false; 32type TYPE1; 33type TYPE2, ATTR1; 34type TYPE3 alias { TYPEALIAS3A TYPEALIAS3B }; 35type TYPE4 alias TYPEALIAS4, ATTR2; 36typealias TYPE1 alias TYPEALIAS1; 37typeattribute TYPE1 ATTR1; 38typebounds TYPE4 TYPE3; 39bool BOOL1 true; 40tunable TUNABLE1 false; 41tunable TUNABLE2 true; 42type_transition TYPE1 TYPE2 : CLASS1 TYPE3; 43type_transition { TYPE1 TYPE2 } { TYPE3 TYPE4 } : CLASS1 TYPE1 "FILENAME"; 44type_member TYPE1 TYPE2 : CLASS1 TYPE2; 45type_change TYPE1 TYPE2 : CLASS1 TYPE3; 46range_transition TYPE1 TYPE2 : CLASS1 s1:c0.c1; 47allow TYPE1 self : CLASS1 { PERM1 }; 48auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 }; 49dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 }; 50neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 }; 51allowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x1; 52auditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2; 53dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3; 54neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4; 55permissive TYPE1; 56attribute_role ROLE_ATTR1; 57role ROLE1; 58role ROLE3; 59role ROLE2, ROLE_ATTR1; 60role_transition ROLE1 TYPE1 ROLE2; 61role_transition ROLE1 TYPE1 : CLASS1 ROLE2; 62allow ROLE1 ROLE2; 63roleattribute ROLE3 ROLE_ATTR1; 64role ROLE1 types { TYPE1 }; 65if ! BOOL1 { allow TYPE1 self: CLASS1 *; } 66if TUNABLE1 xor TUNABLE2 { allow TYPE1 self: CLASS2 *; } else { allow TYPE1 self: CLASS3 *; } 67optional { require { class CLASS2 { CPERM1 }; } allow TYPE1 self: CLASS2 *; } 68user USER1 roles ROLE1 level s0 range s0 - s1:c0.c1; 69constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2)); 70# sameuser will be turned into (u1 == u2) 71validatetrans CLASS2 sameuser and t3 == ATTR1; 72sid kernel USER1:ROLE1:TYPE1:s0 - s1:c0.c1 73# fscon statements are not dumped 74fscon 2 3 USER1:ROLE1:TYPE1:s0 USER1:ROLE1:TYPE1:s0 75fs_use_xattr btrfs USER1:ROLE1:TYPE1:s0 - s1:c0.CATALIAS; 76fs_use_trans devpts USER1:ROLE1:TYPE1:s0 - s0; 77fs_use_task pipefs USER1:ROLE1:TYPE1:s0 - s1; 78# paths will be turned into quoted strings 79genfscon proc / -d USER1:ROLE1:TYPE1:s0 80genfscon proc "/file1" -- USER1:ROLE1:TYPE1:s0 81genfscon proc "/path/to/file" USER1:ROLE1:TYPE1:s0 82portcon tcp 80 USER1:ROLE1:TYPE1:s0 83portcon udp 100-200 USER1:ROLE1:TYPE1:s0 84netifcon lo USER1:ROLE1:TYPE1:s0 USER1:ROLE1:TYPE1:s0 85nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1:s0 86nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1:s0 87# hex numbers will be turned in decimal ones 88ibpkeycon fe80:: 0xFFFF USER1:ROLE1:TYPE1:s0 89ibpkeycon fe80:: 0-0x10 USER1:ROLE1:TYPE1:s0 90ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1:s0 91ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1:s0 92