| # handle_unknown deny |
| class process |
| class file |
| class blk_file |
| class chr_file |
| class lnk_file |
| class fifo_file |
| class sock_file |
| sid kernel |
| sid security |
| sid unlabeled |
| sid fs |
| sid file |
| sid file_labels |
| sid init |
| sid any_socket |
| sid port |
| sid netif |
| sid netmsg |
| sid node |
| sid igmp_packet |
| sid icmp_socket |
| sid tcp_socket |
| sid sysctl_modprobe |
| sid sysctl |
| sid sysctl_fs |
| sid sysctl_kernel |
| sid sysctl_net |
| sid sysctl_net_unix |
| sid sysctl_vm |
| sid sysctl_dev |
| sid kmod |
| sid policy |
| sid scmp_packet |
| sid devnull |
| common file { create open } |
| class file inherits file { execute_no_trans entrypoint } |
| class process { fork transition getsched setsched getpgid setpgid sigchld sigkill sigstop signal ptrace } |
| default_range file target low-high; |
| sensitivity s0; |
| sensitivity s1; |
| dominance { s0 s1 } |
| category c0; |
| level s0:c0; |
| level s1:c0; |
| mlsconstrain process { fork } l1 == l2; |
| type unconfined_t; |
| type file_t; |
| role object_r; |
| role unconfined_r; |
| user kernel_u roles unconfined_r level s0 range s0 - s1:c0; |
| user user_u roles unconfined_r level s0 range s0 - s1:c0; |
| user file_u roles object_r level s0 range s0 - s1:c0; |
| sid kernel kernel_u:object_r:unconfined_t:s0 - s1 |
| sid unlabeled user_u:object_r:unconfined_t:s0 |