Xen Statements
==============
Policy version 30 introduced the [`devicetreecon`](cil_xen_statements.md#devicetreecon) statement and also expanded the existing I/O memory range to 64 bits in order to support hardware with more than 44 bits of physical address space (32-bit count of 4K pages).
See the ["XSM/FLASK Configuration"](http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt) document for further information ([](http://xenbits.xen.org/docs/4.2-testing/misc/xsm-flask.txt))
iomemcon
--------
Label i/o memory. This may be a single memory location or a range.
**Statement definition:**
```secil
(iomemcon mem_addr|(mem_low mem_high) context_id)
```
**Where:**
iomemcon
|
The iomemcon keyword. |
mem_addr |
(mem_low mem_high)
|
A single memory address to apply the context, or a range of addresses.
The entries must consist of numerics [0-9] . |
context_id
|
A previously declared context identifier or an anonymous security context (user role type levelrange ), the range MUST be defined whether the policy is MLS/MCS enabled or not. |
**Example:**
An anonymous context for a memory address range of `0xfebe0-0xfebff`:
```secil
(iomemcon (1043424 1043455) (unconfined.user object_r unconfined.object low_low))
```
ioportcon
---------
Label i/o ports. This may be a single port or a range.
**Statement definition:**
```secil
(ioportcon port|(port_low port_high) context_id)
```
**Where:**
ioportcon
|
The ioportcon keyword. |
port |
(port_low port_high)
|
A single port to apply the context, or a range of ports.
The entries must consist of numerics [0-9] . |
context_id
|
A previously declared context identifier or an anonymous security context (user role type levelrange ), the range MUST be defined whether the policy is MLS/MCS enabled or not. |
**Example:**
An anonymous context for a single port of :`0xecc0`:
```secil
(ioportcon 60608 (unconfined.user object_r unconfined.object low_low))
```
pcidevicecon
------------
Label a PCI device.
**Statement definition:**
```secil
(pcidevicecon device context_id)
```
**Where:**
pcidevicecon
|
The pcidevicecon keyword. |
device
|
The device number.The entries must consist of numerics [0-9] . |
context_id
|
A previously declared context identifier or an anonymous security context (user role type levelrange ), the range MUST be defined whether the policy is MLS/MCS enabled or not. |
**Example:**
An anonymous context for a pci device address of `0xc800`:
```secil
(pcidevicecon 51200 (unconfined.user object_r unconfined.object low_low))
```
pirqcon
-------
Label an interrupt level.
**Statement definition:**
```secil
(pirqcon irq_level context_id)
```
**Where:**
pirqcon
|
The pirqcon keyword. |
irq_level
|
The interrupt request number. The entries must consist of numerics [0-9] . |
context_id
|
A previously declared context identifier or an anonymous security context (user role type levelrange ), the range MUST be defined whether the policy is MLS/MCS enabled or not. |
**Example:**
An anonymous context for IRQ 33:
```secil
(pirqcon 33 (unconfined.user object_r unconfined.object low_low))
```
devicetreecon
-------------
Label device tree nodes.
**Statement definition:**
```secil
(devicetreecon path context_id)
```
**Where:**
devicetreecon
|
The devicetreecon keyword. |
path
|
The device tree path. If this contains spaces enclose within "" . |
context_id
|
A previously declared context identifier or an anonymous security context (user role type levelrange ), the range MUST be defined whether the policy is MLS/MCS enabled or not. |
**Example:**
An anonymous context for the specified path:
```secil
(devicetreecon "/this is/a/path" (unconfined.user object_r unconfined.object low_low))
```