| # handle_unknown deny |
| class process |
| class file |
| class blk_file |
| class chr_file |
| class lnk_file |
| class fifo_file |
| class sock_file |
| class class0 |
| sid kernel |
| sid security |
| sid unlabeled |
| sid fs |
| sid file |
| sid file_labels |
| sid init |
| sid any_socket |
| sid port |
| sid netif |
| sid netmsg |
| sid node |
| sid igmp_packet |
| sid icmp_socket |
| sid tcp_socket |
| sid sysctl_modprobe |
| sid sysctl |
| sid sysctl_fs |
| sid sysctl_kernel |
| sid sysctl_net |
| sid sysctl_net_unix |
| sid sysctl_vm |
| sid sysctl_dev |
| sid kmod |
| sid policy |
| sid scmp_packet |
| sid devnull |
| common file { create open } |
| class process { fork transition getsched setsched getpgid setpgid sigchld sigkill sigstop signal ptrace } |
| class file inherits file { execute_no_trans } |
| class class0 { perm0 } |
| sensitivity s0; |
| sensitivity s1; |
| dominance { s0 s1 } |
| category c0; |
| category c1; |
| category c2; |
| category c3; |
| category c4; |
| level s0:c0; |
| level s1:c0.c4; |
| mlsconstrain class0 { perm0 } l1 == l2; |
| type type0; |
| role subject_r; |
| allow type0 self:class0 { perm0 }; |
| user user0 roles object_r level s0 range s0 - s0:c0; |
| user user1 roles subject_r level s1:c2 range s1 - s1:c0.c4; |
| sid kernel user0:object_r:type0:s0:c0 - s1:c0.c2,c4 |
| sid unlabeled user0:object_r:type0:s0 |