Selinux grammar

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(perhaps very close to a usabel state)
 
(22 intermediate revisions by one user not shown)
Line 7: Line 7:
 
Keywords can be in all uppercase or all lowercase.
 
Keywords can be in all uppercase or all lowercase.
  
Convention followed in this document: ''Italics'' are used for non-terminals. Basically
+
Convention followed in this document: Plain text is used for
it means that there is a defination of the thing else where. When a non-terminal is
+
non-terminals. Basically it means that there is a defination of the
used on the right hand side of a grammar rule there should be some rule in the file
+
thing else where. When a non-terminal is used on the right hand side
with that non-terminal on the left hand side. Items in '''bold''' are literal,
+
of a grammar rule there should be some rule in the file with that
they must appear in the policy file exactly as written. Items in '''''bold italics'''''
+
non-terminal on the left hand side. Items in '''bold''' are literal,
are used for things that can be replaced by some user specified text. They will
+
they must appear in the policy file exactly as written. Items in
also be surrounded with < and > signs to make them clearly different from keywords.
+
''italics'' are used for things that can be replaced by
 +
some user specified text. They will also be surrounded with < and >
 +
signs to make them clearly different from keywords.
  
 
Any item in [ square brackets ] is an optional item. Items with a * after them
 
Any item in [ square brackets ] is an optional item. Items with a * after them
Line 20: Line 22:
 
be repeated. Vertical lines | are used to indicate alternatives.
 
be repeated. Vertical lines | are used to indicate alternatives.
  
A file must contain either a ''base_policy'' or a ''module_policy''.
+
A file must contain either a base_policy or a module_policy.
  
----
+
== base policy ==
  
base_policy = ''class_def''+ ''initial_sids'' ''access_vectors'' ''opt_mls'' ''te_rbac'' ''users'' ''opt_constraints'' ''initial_sid_contexts'' ''opt_fs_contexts'' ''opt_fs_uses'' ''opt_genfs_contexts'' ''net_contexts''
+
base_policy = class_def+ initial_sid_def+ access_vectors [mls] te_rbac user_def+ [constraint_decl+] initial_sid_context_def+ [fs_context_def+] [fs_use_def+] [genfs_context_def+] [port_context_def+] [netif_context_def+] [node_context_def+]
  
----
+
class_def = '''CLASS''' ''<identifier>''
  
module_policy = '''MODULE''' '''''identifier''''' '''''version_identifier''''' ''';''' avrules_block
+
initial_sid_def = '''SID''' ''<identifier>''
  
avrules_block = ''avrule_decl''+ ''user_def''*
+
access_vectors = [common_perms_def +] av_perms_def+
  
avrule_decl = ''rbac_decl'' | ''te_decl'' | ''cond_stmt_def'' | ''require_block'' | ''optional_block'' | ''';'''
+
av_perms_def = '''CLASS''' ''<identifier>'' '''{''' ''<identifier>'' + '''}''' | '''CLASS''' ''<identifier>'' '''INHERITS''' ''<identifier>''  | '''CLASS''' ''<identifier>'' '''INHERITS''' ''<identifier>'' '''{''' ''<identifier>'' + '''}'''
  
user_def = '''USER''' '''''identifier''''' '''ROLES''' '''''names''''' ''opt_mls_user'' ''';'''
+
initial_sid_context_def = '''SID''' ''<identifier>'' security_context_def
  
----
+
constraint_decl = constraint_def | validatetrans_def
  
Some token definations:
+
constraint_def = '''CONSTRAIN''' names names cexpr ''';'''
  
version_identifier = xxx
+
validatetrans_def = '''VALIDATETRANS''' names cexpr ''';'''
  
 
----
 
----
  
class_def = '''CLASS''' '''''identifier'''''
+
fs_context_def = '''FSCON''' ''<number>'' ''<number>'' security_context_def security_context_def
  
initial_sids = initial_sid_def | initial_sids initial_sid_def
+
port_context_def = '''PORTCON''' ''<identifier>'' ''<number>'' security_context_def | '''PORTCON''' ''<identifier>'' ''<number>'' '-' ''<number>'' security_context_def
  
initial_sid_def = SID identifier
+
netif_context_def = '''NETIFCON''' ''<identifier>'' security_context_def security_context_def
  
access_vectors = opt_common_perms av_perms
+
node_context_def = '''NODECON''' ''<ipv4_addr>'' ''<ipv4_addr>'' security_context_def | '''NODECON''' ''<ipv6_addr>'' ''<ipv6_addr>'' security_context_def
  
opt_common_perms = common_perms | /* empty */
+
fs_use_def = '''FSUSEXATTR''' ''<identifier>'' security_context_def ''';''' | '''FSUSETASK''' ''<identifier>'' security_context_def ''';''' | '''FSUSETRANS''' ''<identifier>'' security_context_def ''';'''
  
common_perms = common_perms_def | common_perms common_perms_def
+
genfs_context_def = '''GENFSCON''' ''<identifier>'' ''<path>'' '-' ''<identifier>'' security_context_def | '''GENFSCON''' ''<identifier>'' ''<path>'' '-' '-'  security_context_def | '''GENFSCON''' ''<identifier>'' ''<path>'' security_context_def
  
common_perms_def = COMMON identifier '{' identifier_list '}'
+
security_context_def = ''<identifier>'' ''':''' ''<identifier>'' ''':''' ''<identifier>'' [''':''' mls_range_def]
  
av_perms = av_perms_def | av_perms av_perms_def
+
----
  
av_perms_def = CLASS identifier '{' identifier_list '}' | CLASS identifier INHERITS identifier  | CLASS identifier INHERITS identifier '{' identifier_list '}'
+
mls_range_def = mls_level_def '-' mls_level_def | mls_level_def
  
opt_mls = mls | /* empty */
+
mls_level_def = ''<identifier>'' ''':''' id_comma_list | ''<identifier>''
  
mls = sensitivities dominance opt_categories levels mlspolicy
+
id_comma_list = ''<identifier>'' | id_comma_list ',' ''<identifier>''
  
sensitivities = sensitivity_def | sensitivities sensitivity_def
+
== module policy ==
  
sensitivity_def = SENSITIVITY identifier alias_def ';' | SENSITIVITY identifier ';'
+
module_policy = '''MODULE''' ''<identifier>'' ''<version_identifier>'' ''';''' avrules_block
  
alias_def = ALIAS names
+
avrules_block = avrule_decl+ user_def*
  
dominance = DOMINANCE identifier | DOMINANCE '{' identifier_list '}'  
+
avrule_decl = rbac_decl | te_decl | cond_stmt_def | require_block | optional_block | ''';'''
  
opt_categories = categories | /* empty */
+
user_def = '''USER''' ''<identifier>'' '''ROLES''' names ['''LEVEL''' mls_level_def '''RANGE''' mls_range_def] ''';'''
  
categories = category_def | categories category_def
+
----
  
category_def = CATEGORY identifier alias_def ';' | CATEGORY identifier ';'
+
rbac_decl = role_type_def | role_dominance | role_trans_def | role_allow_def
  
levels = level_def | levels level_def
+
role_type_def = '''ROLE''' ''<identifier>'' '''TYPES''' names ''';''' | '''ROLE''' ''<identifier>''';'
  
level_def = LEVEL identifier ':' id_comma_list ';' | LEVEL identifier ';'  
+
role_dominance = '''DOMINANCE''' '''{''' role_def+ '''}'''
  
mlspolicy = mlspolicy_decl | mlspolicy mlspolicy_decl
+
role_allow_def = '''ALLOW''' names names ''';'''
  
mlspolicy_decl = mlsconstraint_def | mlsvalidatetrans_def
+
role_trans_def = '''ROLE_TRANSITION''' names names ''<identifier>'' ''';'''
  
mlsconstraint_def = MLSCONSTRAIN names names cexpr ';'
+
role_def = '''ROLE''' ''<identifier>'' ''';''' | '''ROLE''' ''<identifier>'' '''{''' role_def+ '''}'''
  
mlsvalidatetrans_def = MLSVALIDATETRANS names cexpr ';'
+
te_decl = '''ATTRIBUTE''' ''<identifier>'' ''';''' | type_def | '''TYPEALIAS''' ''<identifier>'' alias_def ''';''' | '''TYPEATTRIBUTE''' ''<identifier>'' id_comma_list ''';''' | '''BOOL''' ''<identifier>'' ('''CTRUE''' | '''CFALSE''') ''';''' | transition_def | range_trans_def | te_avtab_def | '''PERMISSIVE''' ''<identifier>'' ''';'''
  
te_rbac = te_rbac_decl | te_rbac te_rbac_decl
+
te_rbac = ( te_decl | rbac_decl | cond_stmt_def | optional_block | POLICYCAP ''<identifier>'' ''';''' | ''';''' )+
  
te_rbac_decl = te_decl | rbac_decl | cond_stmt_def | optional_block | policycap_def | ';'
+
te_avtab_def = '''ALLOW''' names names ''':''' names names  ''';''' | '''AUDITALLOW''' names names ''':''' names names ''';''' | '''AUDITDENY''' names names ''':''' names names ''';''' | '''DONTAUDIT''' names names ''':''' names names ''';''' | '''NEVERALLOW''' names names ''':''' names names  ''';'''
  
rbac_decl = role_type_def | role_dominance | role_trans_def | role_allow_def
+
----
  
te_decl = attribute_def | type_def | typealias_def | typeattribute_def | bool_def | transition_def | range_trans_def | te_avtab_def | permissive_def
+
require_block = '''REQUIRE''' '''{''' require_decl+ '''}'''
  
attribute_def = ATTRIBUTE identifier ';'
+
require_decl = CLASS ''<identifier>'' names ''';''' | (ROLE | TYPE | ATTRIBUTE | USER | BOOL | SENSITIVITY | CATEGORY) ''<identifier>'' (''',''' ''<identifier>'' )* ''';'''
  
type_def = TYPE identifier alias_def opt_attr_list ';' | TYPE identifier opt_attr_list ';'
+
----
  
typealias_def = TYPEALIAS identifier alias_def ';'
+
optional_block = '''OPTIONAL''' '''{''' avrules_block '''}''' [ '''ELSE''' '''{''' avrules_block '''}''' ]
  
typeattribute_def = TYPEATTRIBUTE identifier id_comma_list ';'
+
----
 
+
opt_attr_list = ',' id_comma_list | /* empty */
+
 
+
bool_def = BOOL identifier bool_val ';'
+
 
+
bool_val = CTRUE | CFALSE
+
 
+
cond_stmt_def = IF cond_expr '{' cond_pol_list '}' cond_else
+
 
+
cond_else = ELSE '{' cond_pol_list '}' | /* empty */
+
 
+
cond_expr = '(' cond_expr ')' | NOT cond_expr | cond_expr AND cond_expr | cond_expr OR cond_expr | cond_expr XOR cond_expr | cond_expr EQUALS cond_expr | cond_expr NOTEQUAL cond_expr | cond_expr_prim
+
  
cond_expr_prim = identifier
+
cond_stmt_def = '''IF''' cond_expr '''{''' cond_rule_def* '''}''' [ '''ELSE''' '''{''' cond_rule_def* '''}''' ]
  
cond_pol_list = cond_pol_list cond_rule_def  | /* empty */
+
cond_expr = '(' cond_expr ')' | '''NOT''' cond_expr | cond_expr '''AND''' cond_expr | cond_expr '''OR''' cond_expr | cond_expr '''XOR''' cond_expr | cond_expr '''EQUALS''' cond_expr | cond_expr '''NOTEQUAL''' cond_expr | ''<identifier>''
  
 
cond_rule_def = cond_transition_def | cond_te_avtab_def | require_block  
 
cond_rule_def = cond_transition_def | cond_te_avtab_def | require_block  
  
cond_transition_def = TYPE_TRANSITION names names ':' names identifier ';' | TYPE_MEMBER names names ':' names identifier ';' | TYPE_CHANGE names names ':' names identifier ';'  
+
cond_transition_def = '''TYPE_TRANSITION''' names names ':' names ''<identifier>'' ';' | '''TYPE_MEMBER''' names names ':' names ''<identifier>'' ';' | '''TYPE_CHANGE''' names names ':' names ''<identifier>'' ';'  
  
cond_te_avtab_def = cond_allow_def | cond_auditallow_def | cond_auditdeny_def | cond_dontaudit_def
+
cond_te_avtab_def = '''ALLOW''' names names ''':''' names names  ''';''' | '''AUDITALLOW''' names names ''':''' names names ''';''' | '''AUDITDENY''' names names ''':''' names names ''';''' | '''DONTAUDIT''' names names ''':''' names names ''';'''
  
cond_allow_def = ALLOW names names ':' names names  ';'
+
----
  
cond_auditallow_def = AUDITALLOW names names ':' names names ';'
+
type_def = '''TYPE''' ''<identifier>'' alias_def [',' id_comma_list] ''';''' | '''TYPE''' ''<identifier>'' [',' id_comma_list] ''';'''
  
cond_auditdeny_def = AUDITDENY names names ':' names names ';'
+
----
  
cond_dontaudit_def = DONTAUDIT names names ':' names names ';'
+
names = ''<identifier>'' | nested_id_set | '''*''' | '''~''' ''<identifier>'' | '''~''' nested_id_set | ''<identifier>'' '''-'''  ''<identifier>''  
  
transition_def = TYPE_TRANSITION names names ':' names identifier ';' | TYPE_MEMBER names names ':' names identifier ';' | TYPE_CHANGE names names ':' names identifier ';'
+
----
  
range_trans_def = RANGE_TRANSITION names names mls_range_def ';' | RANGE_TRANSITION names names ':' names mls_range_def ';'  
+
common_perms_def = '''COMMON''' ''<identifier>'' '''{''' ''<identifier>'' + '''}'''
  
te_avtab_def = allow_def | auditallow_def | auditdeny_def | dontaudit_def | neverallow_def
+
mls = sensitivity_def+ dominance [category_def+] level_def+ mlspolicy_decl+
  
allow_def = ALLOW names names ':' names names  ';'
+
sensitivity_def = '''SENSITIVITY''' ''<identifier>'' alias_def ';' | '''SENSITIVITY''' ''<identifier>'' ''';'''
  
auditallow_def = AUDITALLOW names names ':' names names ';'
+
alias_def = '''ALIAS''' names
  
auditdeny_def = AUDITDENY names names ':' names names ';'
+
dominance = '''DOMINANCE''' ''<identifier>'' | '''DOMINANCE''' '''{''' ''<identifier>'' + '''}'''  
  
dontaudit_def = DONTAUDIT names names ':' names names ';'
+
category_def = '''CATEGORY''' ''<identifier>'' alias_def ';' | '''CATEGORY''' ''<identifier>'' ''';'''
  
neverallow_def = NEVERALLOW names names ':' names names  ';'
+
level_def = '''LEVEL''' ''<identifier>'' ':' id_comma_list ';' | '''LEVEL''' ''<identifier>'' ''';'''  
  
role_type_def = ROLE identifier TYPES names ';' | ROLE identifier';'
+
mlspolicy_decl = '''MLSCONSTRAIN''' names names cexpr ';' | '''MLSVALIDATETRANS''' names cexpr ''';'''
  
role_dominance = DOMINANCE '{' roles '}'
+
transition_def = '''TYPE_TRANSITION''' names names ''':''' names ''<identifier>'' ''';''' | '''TYPE_MEMBER''' names names ''':''' names ''<identifier>'' ''';''' | '''TYPE_CHANGE''' names names ''':''' names ''<identifier>'' ''';'''
  
role_trans_def = ROLE_TRANSITION names names identifier ';'
+
range_trans_def = '''RANGE_TRANSITION''' names names mls_range_def ''';''' | '''RANGE_TRANSITION''' names names ''':''' names mls_range_def ''';'''  
  
role_allow_def = ALLOW names names ';'
+
----
  
roles = role_def | roles role_def
+
cexpr = '(' cexpr ')' | '''NOT''' cexpr | cexpr '''AND''' cexpr | cexpr '''OR''' cexpr | cexpr_prim
  
role_def = ROLE identifier_push ';' | ROLE identifier_push '{' roles '}'
+
cexpr_prim = U1 op U2 | R1 role_mls_op R2 | T1 op T2 | U1 op names_push | U2 op names_push | U3 op names_push | R1 op names_push | R2 op names_push | R3 op names_push | T1 op names_push | T2 op names_push | T3 op names_push | '''SAMEUSER''' | '''SOURCE''' '''ROLE''' names_push | '''TARGET''' '''ROLE''' names_push | '''ROLE''' role_mls_op | '''SOURCE''' '''TYPE''' names_push | '''TARGET''' '''TYPE''' names_push | L1 role_mls_op L2 | L1 role_mls_op H2 | H1 role_mls_op L2 | H1 role_mls_op H2 | L1 role_mls_op H1 | L2 role_mls_op H2
  
opt_constraints = constraints | /* empty */
+
op = '''EQUALS''' | '''NOTEQUAL'''
  
constraints = constraint_decl | constraints constraint_decl
+
role_mls_op = op | '''DOM''' | '''DOMBY''' | '''INCOMP'''
  
constraint_decl = constraint_def | validatetrans_def
+
== token definations ==
  
constraint_def = CONSTRAIN names names cexpr ';'
+
names_push = ''<identifier>'' | '''{''' identifier_list_push '''}''' | '''*''' | '''~''' ''<identifier>'' | '''~''' '''{''' identifier_list_push '''}'''
  
validatetrans_def = VALIDATETRANS names cexpr ';'
+
identifier_list_push = ''<identifier>'' | identifier_list_push ''<identifier>''
  
cexpr = '(' cexpr ')' | NOT cexpr | cexpr AND cexpr | cexpr OR cexpr | cexpr_prim
+
nested_id_set = '''{''' nested_id_list '''}'''
 
+
cexpr_prim = U1 op U2 | R1 role_mls_op R2 | T1 op T2 | U1 op names_push | U2 op names_push | U3 op names_push | R1 op names_push | R2 op names_push | R3 op names_push | T1 op names_push | T2 op names_push | T3 op names_push | SAMEUSER | SOURCE ROLE names_push | TARGET ROLE names_push | ROLE role_mls_op | SOURCE TYPE names_push | TARGET TYPE names_push | L1 role_mls_op L2 | L1 role_mls_op H2 | H1 role_mls_op L2 | H1 role_mls_op H2 | L1 role_mls_op H1 | L2 role_mls_op H2
+
 
+
op = EQUALS | NOTEQUAL
+
 
+
role_mls_op = op | DOM | DOMBY | INCOMP
+
 
+
users = user_def | users user_def
+
 
+
opt_mls_user = LEVEL mls_level_def RANGE mls_range_def | /* empty */
+
 
+
initial_sid_contexts = initial_sid_context_def | initial_sid_contexts initial_sid_context_def
+
 
+
initial_sid_context_def = SID identifier security_context_def
+
 
+
opt_fs_contexts = fs_contexts | /* empty */
+
 
+
fs_contexts = fs_context_def | fs_contexts fs_context_def
+
 
+
fs_context_def = FSCON number number security_context_def security_context_def
+
 
+
net_contexts = opt_port_contexts opt_netif_contexts opt_node_contexts
+
 
+
opt_port_contexts = port_contexts | /* empty */
+
 
+
port_contexts = port_context_def | port_contexts port_context_def
+
 
+
port_context_def = PORTCON identifier number security_context_def | PORTCON identifier number '-' number security_context_def
+
 
+
opt_netif_contexts = netif_contexts | /* empty */
+
 
+
netif_contexts = netif_context_def | netif_contexts netif_context_def
+
 
+
netif_context_def = NETIFCON identifier security_context_def security_context_def
+
 
+
opt_node_contexts = node_contexts | /* empty */
+
 
+
node_contexts = node_context_def | node_contexts node_context_def
+
 
+
node_context_def = NODECON ipv4_addr_def ipv4_addr_def security_context_def | NODECON ipv6_addr ipv6_addr security_context_def
+
 
+
opt_fs_uses = fs_uses | /* empty */
+
 
+
fs_uses = fs_use_def | fs_uses fs_use_def
+
 
+
fs_use_def = FSUSEXATTR identifier security_context_def ';' | FSUSETASK identifier security_context_def ';' | FSUSETRANS identifier security_context_def ';'
+
 
+
opt_genfs_contexts = genfs_contexts | /* empty */
+
 
+
genfs_contexts = genfs_context_def | genfs_contexts genfs_context_def
+
 
+
genfs_context_def = GENFSCON identifier path '-' identifier security_context_def | GENFSCON identifier path '-' '-'  security_context_def | GENFSCON identifier path security_context_def
+
 
+
ipv4_addr_def = IPV4_ADDR
+
 
+
security_context_def = identifier ':' identifier ':' identifier opt_mls_range_def
+
 
+
opt_mls_range_def = ':' mls_range_def | /* empty */
+
 
+
mls_range_def = mls_level_def '-' mls_level_def | mls_level_def
+
 
+
mls_level_def = identifier ':' id_comma_list | identifier
+
 
+
id_comma_list = identifier | id_comma_list ',' identifier
+
 
+
tilde = '~'
+
 
+
asterisk = '*'
+
 
+
names = identifier | nested_id_set | asterisk | tilde identifier | tilde nested_id_set | identifier '-'  identifier
+
 
+
tilde_push = tilde
+
 
+
asterisk_push = asterisk
+
 
+
names_push = identifier_push | '{' identifier_list_push '}' | asterisk_push | tilde_push identifier_push | tilde_push '{' identifier_list_push '}'
+
 
+
identifier_list_push = identifier_push | identifier_list_push identifier_push
+
 
+
identifier_push = IDENTIFIER
+
 
+
identifier_list = identifier | identifier_list identifier
+
 
+
nested_id_set = '{' nested_id_list '}'
+
  
 
nested_id_list = nested_id_element | nested_id_list nested_id_element
 
nested_id_list = nested_id_element | nested_id_list nested_id_element
  
 
nested_id_element = identifier | '-'  identifier | nested_id_set
 
nested_id_element = identifier | '-'  identifier | nested_id_set
 
identifier = IDENTIFIER
 
 
path = PATH
 
 
number = NUMBER
 
 
ipv6_addr = IPV6_ADDR
 
 
policycap_def = POLICYCAP identifier ';'
 
 
permissive_def = PERMISSIVE identifier ';'
 
 
version_identifier = VERSION_IDENTIFIER
 
 
require_block = REQUIRE '{' require_list '}'
 
 
require_list = require_list require_decl | require_decl
 
 
require_decl = require_class ';' | require_decl_def require_id_list ';'
 
 
require_class = CLASS identifier names
 
 
require_decl_def = ROLE | TYPE | ATTRIBUTE | USER | BOOL | SENSITIVITY | CATEGORY
 
 
require_id_list = identifier | require_id_list ',' identifier
 
 
optional_block = optional_decl '{' avrules_block '}' optional_else
 
 
optional_else = else_decl '{' avrules_block '}' | /* empty */
 
 
optional_decl = OPTIONAL
 
 
else_decl = ELSE
 

Latest revision as of 05:41, 9 November 2008

This is my attempt at documenting the policy grammar that is accepted by checkpolicy. The grammar was taken directly from the bison input file and edited to make it more readable for the wiki system.

Comments start with a # character and continue to the end of the line.

Keywords can be in all uppercase or all lowercase.

Convention followed in this document: Plain text is used for non-terminals. Basically it means that there is a defination of the thing else where. When a non-terminal is used on the right hand side of a grammar rule there should be some rule in the file with that non-terminal on the left hand side. Items in bold are literal, they must appear in the policy file exactly as written. Items in italics are used for things that can be replaced by some user specified text. They will also be surrounded with < and > signs to make them clearly different from keywords.

Any item in [ square brackets ] is an optional item. Items with a * after them can be repeated zero or more times. Items with a + after them can be repeated one or more times. Parenthesis are used to group items that can be repeated. Vertical lines | are used to indicate alternatives.

A file must contain either a base_policy or a module_policy.

[edit] base policy

base_policy = class_def+ initial_sid_def+ access_vectors [mls] te_rbac user_def+ [constraint_decl+] initial_sid_context_def+ [fs_context_def+] [fs_use_def+] [genfs_context_def+] [port_context_def+] [netif_context_def+] [node_context_def+]

class_def = CLASS <identifier>

initial_sid_def = SID <identifier>

access_vectors = [common_perms_def +] av_perms_def+

av_perms_def = CLASS <identifier> { <identifier> + } | CLASS <identifier> INHERITS <identifier> | CLASS <identifier> INHERITS <identifier> { <identifier> + }

initial_sid_context_def = SID <identifier> security_context_def

constraint_decl = constraint_def | validatetrans_def

constraint_def = CONSTRAIN names names cexpr ;

validatetrans_def = VALIDATETRANS names cexpr ;


fs_context_def = FSCON <number> <number> security_context_def security_context_def

port_context_def = PORTCON <identifier> <number> security_context_def | PORTCON <identifier> <number> '-' <number> security_context_def

netif_context_def = NETIFCON <identifier> security_context_def security_context_def

node_context_def = NODECON <ipv4_addr> <ipv4_addr> security_context_def | NODECON <ipv6_addr> <ipv6_addr> security_context_def

fs_use_def = FSUSEXATTR <identifier> security_context_def ; | FSUSETASK <identifier> security_context_def ; | FSUSETRANS <identifier> security_context_def ;

genfs_context_def = GENFSCON <identifier> <path> '-' <identifier> security_context_def | GENFSCON <identifier> <path> '-' '-' security_context_def | GENFSCON <identifier> <path> security_context_def

security_context_def = <identifier> : <identifier> : <identifier> [: mls_range_def]


mls_range_def = mls_level_def '-' mls_level_def | mls_level_def

mls_level_def = <identifier> : id_comma_list | <identifier>

id_comma_list = <identifier> | id_comma_list ',' <identifier>

[edit] module policy

module_policy = MODULE <identifier> <version_identifier> ; avrules_block

avrules_block = avrule_decl+ user_def*

avrule_decl = rbac_decl | te_decl | cond_stmt_def | require_block | optional_block | ;

user_def = USER <identifier> ROLES names [LEVEL mls_level_def RANGE mls_range_def] ;


rbac_decl = role_type_def | role_dominance | role_trans_def | role_allow_def

role_type_def = ROLE' <identifier> TYPES names ; | ROLE <identifier>;'

role_dominance = DOMINANCE { role_def+ }

role_allow_def = ALLOW names names ;

role_trans_def = ROLE_TRANSITION names names <identifier> ;

role_def = ROLE <identifier> ; | ROLE <identifier> { role_def+ }

te_decl = ATTRIBUTE <identifier> ; | type_def | TYPEALIAS <identifier> alias_def ; | TYPEATTRIBUTE <identifier> id_comma_list ; | BOOL <identifier> (CTRUE | CFALSE) ; | transition_def | range_trans_def | te_avtab_def | PERMISSIVE <identifier> ;

te_rbac = ( te_decl | rbac_decl | cond_stmt_def | optional_block | POLICYCAP <identifier> ; | ; )+

te_avtab_def = ALLOW names names : names names ; | AUDITALLOW names names : names names ; | AUDITDENY names names : names names ; | DONTAUDIT names names : names names ; | NEVERALLOW names names : names names ;


require_block = REQUIRE { require_decl+ }

require_decl = CLASS <identifier> names ; | (ROLE | TYPE | ATTRIBUTE | USER | BOOL | SENSITIVITY | CATEGORY) <identifier> (, <identifier> )* ;


optional_block = OPTIONAL { avrules_block } [ ELSE { avrules_block } ]


cond_stmt_def = IF cond_expr { cond_rule_def* } [ ELSE { cond_rule_def* } ]

cond_expr = '(' cond_expr ')' | NOT cond_expr | cond_expr AND cond_expr | cond_expr OR cond_expr | cond_expr XOR cond_expr | cond_expr EQUALS cond_expr | cond_expr NOTEQUAL cond_expr | <identifier>

cond_rule_def = cond_transition_def | cond_te_avtab_def | require_block

cond_transition_def = TYPE_TRANSITION names names ':' names <identifier> ';' | TYPE_MEMBER names names ':' names <identifier> ';' | TYPE_CHANGE names names ':' names <identifier> ';'

cond_te_avtab_def = ALLOW names names : names names ; | AUDITALLOW names names : names names ; | AUDITDENY names names : names names ; | DONTAUDIT names names : names names ;


type_def = TYPE <identifier> alias_def [',' id_comma_list] ; | TYPE <identifier> [',' id_comma_list] ;


names = <identifier> | nested_id_set | * | ~ <identifier> | ~ nested_id_set | <identifier> - <identifier>


common_perms_def = COMMON <identifier> { <identifier> + }

mls = sensitivity_def+ dominance [category_def+] level_def+ mlspolicy_decl+

sensitivity_def = SENSITIVITY <identifier> alias_def ';' | SENSITIVITY <identifier> ;

alias_def = ALIAS names

dominance = DOMINANCE <identifier> | DOMINANCE { <identifier> + }

category_def = CATEGORY <identifier> alias_def ';' | CATEGORY <identifier> ;

level_def = LEVEL <identifier> ':' id_comma_list ';' | LEVEL <identifier> ;

mlspolicy_decl = MLSCONSTRAIN names names cexpr ';' | MLSVALIDATETRANS names cexpr ;

transition_def = TYPE_TRANSITION names names : names <identifier> ; | TYPE_MEMBER names names : names <identifier> ; | TYPE_CHANGE names names : names <identifier> ;

range_trans_def = RANGE_TRANSITION names names mls_range_def ; | RANGE_TRANSITION names names : names mls_range_def ;


cexpr = '(' cexpr ')' | NOT cexpr | cexpr AND cexpr | cexpr OR cexpr | cexpr_prim

cexpr_prim = U1 op U2 | R1 role_mls_op R2 | T1 op T2 | U1 op names_push | U2 op names_push | U3 op names_push | R1 op names_push | R2 op names_push | R3 op names_push | T1 op names_push | T2 op names_push | T3 op names_push | SAMEUSER | SOURCE ROLE names_push | TARGET ROLE names_push | ROLE role_mls_op | SOURCE TYPE names_push | TARGET TYPE names_push | L1 role_mls_op L2 | L1 role_mls_op H2 | H1 role_mls_op L2 | H1 role_mls_op H2 | L1 role_mls_op H1 | L2 role_mls_op H2

op = EQUALS | NOTEQUAL

role_mls_op = op | DOM | DOMBY | INCOMP

[edit] token definations

names_push = <identifier> | { identifier_list_push } | * | ~ <identifier> | ~ { identifier_list_push }

identifier_list_push = <identifier> | identifier_list_push <identifier>

nested_id_set = { nested_id_list }

nested_id_list = nested_id_element | nested_id_list nested_id_element

nested_id_element = identifier | '-' identifier | nested_id_set