1# handle_unknown deny 2class CLASS1 3sid kernel 4class CLASS1 { PERM1 } 5sensitivity s0; 6dominance { s0 } 7category c0; 8level s0:c0; 9mlsconstrain CLASS1 { PERM1 } l1 == l2; 10type TYPE1; 11allow TYPE1 self:CLASS1 { PERM1 }; 12role ROLE1; 13role ROLE1 types { TYPE1 }; 14user USER1 roles ROLE1 level s0 range s0 - s0:c0; 15sid kernel USER1:ROLE1:TYPE1:s0 - s0 16