class security
class process
class system
class capability
class filesystem
class file
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket
class sem
class msg
class msgq
class shm
class ipc
class netlink_route_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
class netlink_dnrt_socket
class association
class netlink_kobject_uevent_socket
class appletalk_socket
class packet
class key
class dccp_socket
class memprotect
class peer
class capability2
class kernel_service
class tun_socket
class binder
class netlink_iscsi_socket
class netlink_fib_lookup_socket
class netlink_connector_socket
class netlink_netfilter_socket
class netlink_generic_socket
class netlink_scsitransport_socket
class netlink_rdma_socket
class netlink_crypto_socket
class infiniband_pkey
class infiniband_endport
class cap_userns
class cap2_userns
class sctp_socket
class icmp_socket
class ax25_socket
class ipx_socket
class netrom_socket
class atmpvc_socket
class x25_socket
class rose_socket
class decnet_socket
class atmsvc_socket
class rds_socket
class irda_socket
class pppox_socket
class llc_socket
class can_socket
class tipc_socket
class bluetooth_socket
class iucv_socket
class rxrpc_socket
class isdn_socket
class phonet_socket
class ieee802154_socket
class caif_socket
class alg_socket
class nfc_socket
class vsock_socket
class kcm_socket
class qipcrtr_socket
class smc_socket
class process2
class bpf
class xdp_socket

sid kernel
sid security
sid unlabeled
sid fs
sid file
sid init
sid untrusted_app

common file
{
  ioctl
  read
  write
  create
  getattr
  setattr
  lock
  relabelfrom
  relabelto
  append
  map
  unlink
  link
  rename
  execute
  quotaon
  mounton
  audit_access
  open
  execmod
  watch
  watch_mount
  watch_sb
  watch_with_perm
  watch_reads
}
common socket
{
  ioctl
  read
  write
  create
  getattr
  setattr
  lock
  relabelfrom
  relabelto
  append
  map
  bind
  connect
  listen
  accept
  getopt
  setopt
  shutdown
  recvfrom
  sendto
  name_bind
}
common ipc
{
  create
  destroy
  getattr
  setattr
  read
  write
  associate
  unix_read
  unix_write
}
common cap
{
  chown
  dac_override
  dac_read_search
  fowner
  fsetid
  kill
  setgid
  setuid
  setpcap
  linux_immutable
  net_bind_service
  net_broadcast
  net_admin
  net_raw
  ipc_lock
  ipc_owner
  sys_module
  sys_rawio
  sys_chroot
  sys_ptrace
  sys_pacct
  sys_admin
  sys_boot
  sys_nice
  sys_resource
  sys_time
  sys_tty_config
  mknod
  lease
  audit_write
  audit_control
  setfcap
}
common cap2
{
  mac_override
  mac_admin
  syslog
  wake_alarm
  block_suspend
  audit_read
}
class filesystem
{
  mount
  remount
  unmount
  getattr
  relabelfrom
  relabelto
  associate
  quotamod
  quotaget
  watch
}
class dir
inherits file
{
  add_name
  remove_name
  reparent
  search
  rmdir
}
class file
inherits file
{
  execute_no_trans
  entrypoint
}
class lnk_file
inherits file
class chr_file
inherits file
{
  execute_no_trans
  entrypoint
}
class blk_file
inherits file
class sock_file
inherits file
class fifo_file
inherits file
class fd
{
  use
}
class socket
inherits socket
class tcp_socket
inherits socket
{
  node_bind
  name_connect
}
class udp_socket
inherits socket
{
  node_bind
}
class rawip_socket
inherits socket
{
  node_bind
}
class node
{
  recvfrom
  sendto
}
class netif
{
  ingress
  egress
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
  connectto
}
class unix_dgram_socket
inherits socket
class process
{
  fork
  transition
  sigchld
  sigkill
  sigstop
  signull
  signal
  ptrace
  getsched
  setsched
  getsession
  getpgid
  setpgid
  getcap
  setcap
  share
  getattr
  setexec
  setfscreate
  noatsecure
  siginh
  setrlimit
  rlimitinh
  dyntransition
  setcurrent
  execmem
  execstack
  execheap
  setkeycreate
  setsockcreate
  getrlimit
}
class process2
{
  nnp_transition
  nosuid_transition
}
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
  enqueue
}
class msg
{
  send
  receive
}
class shm
inherits ipc
{
  lock
}
class security
{
  compute_av
  compute_create
  compute_member
  check_context
  load_policy
  compute_relabel
  compute_user
  setenforce
  setbool
  setsecparam
  setcheckreqprot
  read_policy
  validate_trans
}
class system
{
  ipc_info
  syslog_read
  syslog_mod
  syslog_console
  module_request
  module_load
}
class capability
inherits cap
class capability2
inherits cap2
class netlink_route_socket
inherits socket
{
  nlmsg_read
  nlmsg_write
  nlmsg_readpriv
}
class netlink_tcpdiag_socket
inherits socket
{
  nlmsg_read
  nlmsg_write
}
class netlink_nflog_socket
inherits socket
class netlink_xfrm_socket
inherits socket
{
  nlmsg_read
  nlmsg_write
}
class netlink_selinux_socket
inherits socket
class netlink_audit_socket
inherits socket
{
  nlmsg_read
  nlmsg_write
  nlmsg_relay
  nlmsg_readpriv
  nlmsg_tty_audit
}
class netlink_dnrt_socket
inherits socket
class association
{
  sendto
  recvfrom
  setcontext
  polmatch
}
class netlink_kobject_uevent_socket
inherits socket
class appletalk_socket
inherits socket
class packet
{
  send
  recv
  relabelto
  forward_in
  forward_out
}
class key
{
  view
  read
  write
  search
  link
  setattr
  create
}
class dccp_socket
inherits socket
{
  node_bind
  name_connect
}
class memprotect
{
  mmap_zero
}
class peer
{
  recv
}
class kernel_service
{
  use_as_override
  create_files_as
}
class tun_socket
inherits socket
{
  attach_queue
}
class binder
{
  impersonate
  call
  set_context_mgr
  transfer
}
class netlink_iscsi_socket
inherits socket
class netlink_fib_lookup_socket
inherits socket
class netlink_connector_socket
inherits socket
class netlink_netfilter_socket
inherits socket
class netlink_generic_socket
inherits socket
class netlink_scsitransport_socket
inherits socket
class netlink_rdma_socket
inherits socket
class netlink_crypto_socket
inherits socket
class infiniband_pkey
{
  access
}
class infiniband_endport
{
  manage_subnet
}
class cap_userns
inherits cap
class cap2_userns
inherits cap2
class sctp_socket
inherits socket
{
  node_bind
  name_connect
  association
}
class icmp_socket
inherits socket
{
  node_bind
}
class ax25_socket
inherits socket
class ipx_socket
inherits socket
class netrom_socket
inherits socket
class atmpvc_socket
inherits socket
class x25_socket
inherits socket
class rose_socket
inherits socket
class decnet_socket
inherits socket
class atmsvc_socket
inherits socket
class rds_socket
inherits socket
class irda_socket
inherits socket
class pppox_socket
inherits socket
class llc_socket
inherits socket
class can_socket
inherits socket
class tipc_socket
inherits socket
class bluetooth_socket
inherits socket
class iucv_socket
inherits socket
class rxrpc_socket
inherits socket
class isdn_socket
inherits socket
class phonet_socket
inherits socket
class ieee802154_socket
inherits socket
class caif_socket
inherits socket
class alg_socket
inherits socket
class nfc_socket
inherits socket
class vsock_socket
inherits socket
class kcm_socket
inherits socket
class qipcrtr_socket
inherits socket
class smc_socket
inherits socket
class bpf
{
  map_create
  map_read
  map_write
  prog_load
  prog_run
}
class xdp_socket
inherits socket

sensitivity s0;
dominance { s0  }
category c0;
category c1;
category c2;
category c3;
category c4;
category c5;
category c6;
category c7;
category c8;
category c9;
category c10;
level s0:c0.c10;
mlsconstrain process { transition dyntransition }
((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);

attribute dev_type;
attribute domain;
attribute fs_type;
attribute file_type;
attribute data_file_type;
expandattribute data_file_type false;
attribute mlstrustedsubject;
attribute mlstrustedobject;
attribute appdomain;
attribute untrusted_app_all;

type app_data_file, file_type, data_file_type;
type init, domain, mlstrustedsubject;
type untrusted_app, domain, mlstrustedsubject;
type init_exec, file_type;
type kernel, domain, mlstrustedsubject;
type rootprc, domain, mlstrustedsubject;

type labeledfs, fs_type;
type rootfs, fs_type;
type unlabeled, file_type;

allow kernel unlabeled:file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };
allow kernel unlabeled:lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads };
allow kernel unlabeled:chr_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };
allow kernel unlabeled:blk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads };
allow kernel unlabeled:sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads };
allow kernel unlabeled:fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads };
allow kernel unlabeled:dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir };

allow untrusted_app rootfs:dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir };
allow untrusted_app unlabeled:dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir };
allow kernel app_data_file:file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };

allow kernel kernel:unix_dgram_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
allow kernel rootfs:dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir };
allow kernel kernel:netlink_kobject_uevent_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
allow kernel kernel:process { fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit };
allow kernel kernel:binder { impersonate call set_context_mgr transfer };
allow untrusted_app unlabeled:file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };
allow untrusted_app untrusted_app:process { fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit };
allow untrusted_app untrusted_app:file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };
allow untrusted_app untrusted_app:dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir };
allow untrusted_app unlabeled:lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads };
allow untrusted_app unlabeled:chr_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };
allow untrusted_app kernel:fd { use };
allow kernel untrusted_app:process { fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit };
allow kernel kernel:file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };
allow kernel kernel:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
allow rootfs labeledfs:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch };
allow kernel kernel:lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads };
allow kernel labeledfs:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch };
allow kernel kernel:dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir };
allow kernel unlabeled:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch };
allow untrusted_app app_data_file:file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };
allow app_data_file labeledfs:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch };
allow unlabeled labeledfs:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch };
allow kernel kernel:unix_stream_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto };
allow kernel kernel:security { compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy validate_trans};
allow kernel rootfs:chr_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };
allow kernel rootfs:file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };
allow kernel rootfs:lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads };
allow kernel rootfs:fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads };
allow kernel rootfs:sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads };
allow kernel rootfs:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch };
allow untrusted_app rootfs:chr_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };
allow untrusted_app rootfs:lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads };
allow untrusted_app rootfs:file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };
allow kernel kernel:capability2 { mac_override mac_admin syslog wake_alarm block_suspend audit_read };
allow rootfs rootfs:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch };
allow kernel kernel:udp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind };
allow kernel app_data_file:udp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind };
allow kernel rootfs:udp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind };

allow rootprc rootprc:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
allow rootprc rootprc:unix_stream_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto };
allow rootprc rootfs:sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads };
allow rootprc rootfs:fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads };
allow rootprc rootprc:process { fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit };
allow rootprc untrusted_app:process { fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit };
allow rootprc rootprc:dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir };
allow rootprc rootfs:dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir };
allow rootprc rootfs:lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads };
allow rootprc rootprc:lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads };
allow rootprc rootfs:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch };
allow rootprc rootfs:file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };
allow rootprc rootprc:file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };
allow rootprc app_data_file:file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };
allow rootprc rootprc:binder { impersonate call set_context_mgr transfer };
allow rootprc rootprc:unix_dgram_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
allow rootprc rootfs:chr_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint };
allow rootprc rootprc:security { compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy validate_trans};
allow rootprc labeledfs:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch };
allow rootprc rootprc:capability2 { mac_override mac_admin syslog wake_alarm block_suspend audit_read };
allow rootprc rootprc:netlink_kobject_uevent_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
allow rootprc rootfs:udp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind };
allow rootprc rootprc:udp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind };
allow untrusted_app rootprc:fd { use };

role r;
role r types domain;
user u roles { r } level s0 range s0 - s0:c0.c10;
sid kernel u:r:rootprc:s0
sid security u:object_r:rootprc:s0
sid unlabeled u:object_r:rootfs:s0
sid fs u:object_r:labeledfs:s0
sid file u:object_r:rootfs:s0
sid init u:object_r:rootfs:s0
sid untrusted_app u:object_r:rootfs:s0


fs_use_xattr ext4 u:object_r:labeledfs:s0;

genfscon rootfs / u:object_r:rootfs:s0