No edit summary |
No edit summary |
||
Line 28: | Line 28: | ||
''te_decl'' = ''attribute_def'' | ''type_def'' | ''typealias_def'' | ''typeattribute_def'' | ''bool_def'' | ''transition_def'' | ''range_trans_def'' | ''te_avtab_def'' | ''permissive_def'' | ''te_decl'' = ''attribute_def'' | ''type_def'' | ''typealias_def'' | ''typeattribute_def'' | ''bool_def'' | ''transition_def'' | ''range_trans_def'' | ''te_avtab_def'' | ''permissive_def'' | ||
''cond_stmt_def'' = '''if''' ''cond_expr'' '''{''' ''cond_pol_list'' '''}''' ''' | ''cond_stmt_def'' = '''if''' ''cond_expr'' '''{''' ''cond_pol_list'' '''}''' ''cond_else'' | ||
''require_block'' = '''require''' '''{''' ''require_list'' '''}''' |
Revision as of 13:32, 17 October 2008
This is my attempt at documenting the policy grammar that is accepted by checkpolicy.
Comments start with a # character and continue to the end of the line.
Keywords can be in all uppercase or all lowercase.
Convention followed in this document: Italics are used for syntax categories. Items in bold are literal, they must appear in the policy file exactly as written. Items in bold italics are used for things that can be replaced by some user specified text. They will also be surrounded with < and > signs to make them clearly different from keywords.
Any item in [ square brackets ] is an optional item. Items with a * after them can be repeated zero or more times. Items with a + after them can be repeated one or more times. Parenthesis are used to group items that can be repeated. Vertical lines | are used to indicate alternatives.
A file must contain either a base_policy or a module_policy.
module_policy = module <identifier> <version_identifier> ; avrule_decl+ user_def*
avrule_decl = rbac_decl | te_decl | cond_stmt_def | require_block | optional_block | ;
rbac_decl = role_type_def | role_dominance | role_trans_def | role_allow_def
te_decl = attribute_def | type_def | typealias_def | typeattribute_def | bool_def | transition_def | range_trans_def | te_avtab_def | permissive_def
cond_stmt_def = if cond_expr { cond_pol_list } cond_else
require_block = require { require_list }